They often treat friction as an implementation issue after the fact. In CIAM, friction is a governance variable because it changes abandonment, support demand, and the likelihood of users bypassing controls. The right question is not whether to add more controls, but which controls preserve both assurance and adoption.
Why This Matters for Security Teams
CIAM failures are rarely caused by a single weak control. More often, teams optimise for assurance in one place and push the user cost into another, then discover the real problem is abandonment, ticket volume, or workarounds that bypass the intended journey. NIST’s NIST Cybersecurity Framework 2.0 treats identity as a business enabler, which is the right lens for CIAM: the control has to survive real customer behaviour, not just audit language.
The mistake is assuming UX can be “fixed” after security design is complete. In practice, password resets, MFA prompts, step-up checks, device binding, and fraud controls all affect conversion and support demand at the same time. NHIMG research on the State of Non-Human Identity Security shows how often confidence lags behind actual protection, and that same pattern appears in CIAM when teams overestimate how much friction users will tolerate. In practice, many security teams encounter bypasses and shadow journeys only after abandonment has already become a revenue and support problem.
How It Works in Practice
Good CIAM design starts by separating controls that protect account integrity from controls that protect the customer experience. That means mapping where authentication, recovery, consent, and fraud checks occur, then deciding which ones can be stepped up only when risk changes. The goal is not to remove friction everywhere. It is to make friction proportional, explainable, and recoverable.
Security teams usually get better results when they treat authentication policy as a runtime decision, not a fixed wall. For example, a low-risk login from a familiar device may only need a passwordless flow, while a new device, impossible travel signal, or account recovery request may trigger stronger verification. This is consistent with the direction of current guidance in NIST Cybersecurity Framework 2.0, which emphasises outcomes such as resilience and continuous improvement rather than one-size-fits-all controls. It also aligns with what NHIMG highlights in the 2024 Non-Human Identity Security Report: organisations need security models that adapt to how identities are actually used.
- Use step-up authentication only when risk signals justify it.
- Minimise repeated prompts across sessions, devices, and channels.
- Make recovery flows stronger than login, because attackers target resets.
- Measure abandonment, contact-centre load, fraud loss, and time-to-access together.
Current practice also favours clearer customer messaging, because a control that is invisible but confusing still creates friction. These controls tend to break down when authentication is fragmented across legacy apps, outsourced identity providers, and disconnected recovery processes because the user experience becomes inconsistent and teams cannot tune policy centrally.
Common Variations and Edge Cases
Tighter security often increases operational overhead, requiring organisations to balance stronger assurance against conversion, support capacity, and accessibility. That tradeoff is real, especially in consumer banking, healthcare, and high-volume retail where small drops in completion rate can outweigh theoretical gains from extra checks.
There is no universal standard for this yet, but best practice is evolving toward risk-based journeys rather than blanket enforcement. Some environments need stronger friction by default, such as regulated onboarding, account recovery, or high-value transactions. Others benefit from reducing friction in trusted sessions and shifting control to backend telemetry. NHIMG’s Azure Key Vault privilege escalation exposure is a good reminder that identity friction is not only a front-door issue; overcomplicated access paths often create hidden security debt elsewhere.
The main edge case is when teams treat accessibility or global customer experience as secondary concerns. That usually produces brittle MFA, inconsistent recovery, and high abandonment in lower-trust regions or on shared devices. In those environments, security and UX must be designed together, or users will choose the path of least resistance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | CIAM friction and access decisions shape how users gain and keep access. |
| NIST CSF 2.0 | DE.CM-8 | Monitoring user behaviour helps spot when users bypass controls or fail flows. |
| NIST AI RMF | CIAM decisions increasingly rely on adaptive, context-aware risk evaluation. |
Tune CIAM flows so access is risk-based, usable, and aligned to business-critical identity outcomes.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
