Use a layered approach: strengthen authentication with MFA or passwordless, centralise access with SSO, and reduce post-login reach through least privilege. That combination lowers the number of credentials users manage while keeping stolen passwords from becoming full account compromise. Device checks and clear reporting paths close the loop.
Why This Matters for Security Teams
Remote and hybrid work changes the trust boundary. Security teams are no longer protecting a single office network; they are deciding how to let people reach SaaS apps, internal systems, and sensitive data from unmanaged networks, personal devices, and travel environments. The usual mistake is adding one more login prompt or one more VPN rule and calling that security. That adds friction without materially reducing risk if stolen credentials, weak device posture, or excessive standing access remain in place. The better starting point is to reduce the number of places a user can fail and to make access decisions more contextual, not more repetitive. The NIST Cybersecurity Framework 2.0 is useful here because it frames identity, access, and resilience as ongoing functions rather than one-time controls. NHI Management Group has also shown how exposure compounds when credentials are long-lived or poorly governed, as seen in the Schneider Electric credentials breach. In practice, many security teams discover the friction-versus-security tradeoff only after users start bypassing controls rather than through deliberate design.How It Works in Practice
The least-friction pattern is to centralise authentication, minimise prompts, and push most of the security decision to the background. SSO reduces password sprawl, MFA or passwordless methods reduce phishing risk, and device posture checks can run at sign-in or continuously with minimal user interruption. The goal is not to trust every device equally, but to make higher-risk situations require stronger proof and lower-risk situations flow more smoothly. That aligns with the NIST Cybersecurity Framework 2.0 emphasis on governance and access control, and with NHI Management Group guidance on limiting standing exposure in the Ultimate Guide to NHIs. For human users, the same logic applies to session duration, conditional access, and application-scoped permissions. A practical rollout usually looks like this:- Use SSO as the default entry point so users authenticate once and inherit policy from the identity provider.
- Prefer phishing-resistant MFA or passwordless for high-value systems, especially admin and finance workflows.
- Apply device checks for managed endpoints, with stricter controls for unknown, jailbroken, or out-of-date devices.
- Limit access by role and sensitivity so users only reach the apps and data they need.
- Shorten session lifetime and step-up only when risk changes, not on every click.
- Give users a simple reporting path for suspicious prompts, lost devices, and impossible travel alerts.
Common Variations and Edge Cases
Tighter access control often increases operational overhead, so organisations have to balance stronger assurance against support load and user experience. Best practice is evolving, but there is no universal standard for how much device trust or step-up authentication is enough in every environment. Highly regulated teams often accept more prompts for privileged actions, while frontline or field workers may need faster recovery paths and broader offline tolerance. That is where policy design matters more than tooling. A few edge cases deserve explicit handling. BYOD programs usually need containerisation or browser-based access rather than full device trust. Contractors may need narrower entitlements and shorter sessions than employees, especially when they work across multiple client environments. High-risk data operations, such as payroll changes or export-controlled information, should require stronger verification even if the same user can browse low-risk systems without interruption. Security teams also need a clear exception process, because unmanaged exceptions become standing access in disguise. NHI Management Group’s reporting on the broader identity attack surface is a reminder that visibility matters as much as authentication: the State of Non-Human Identity Security shows how often organisations lack confidence in identity controls overall. Hybrid work fails fastest when convenience exceptions become permanent policy and nobody revisits them after rollout.Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity and access are central to low-friction hybrid work. |
| NIST CSF 2.0 | PR.AC-4 | Least-privilege access limits post-login reach for remote users. |
| NIST AI RMF | Context-aware decisions reflect AI RMF governance and risk treatment logic. |
Use SSO, MFA, and conditional access to verify users before granting app access.
Related resources from NHI Mgmt Group
- How should security teams implement zero trust authentication without adding too much user friction?
- How should security teams implement just-in-time access without creating too much friction?
- How should organisations implement PSD2 controls without adding too much checkout friction?
- How should security teams reduce phishing risk in MFA without creating more user friction?
Deepen Your Knowledge
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
