Subscribe to the Non-Human & AI Identity Journal
Home Glossary Identity Beyond IAM Friction Placement
Identity Beyond IAM

Friction Placement

← Back to Glossary
By NHI Mgmt Group Updated July 12, 2026 Domain: Identity Beyond IAM

Friction placement is the decision about where in a user journey to ask for verification, challenge, or additional proof. The timing matters as much as the control itself because users are more willing to complete a check after they have invested time, value, or intent in the process.

Expanded Definition

Friction placement is the practice of choosing the point in a journey where a control should interrupt, slow, or verify a user, device, or agent. The control itself may be familiar, such as step-up authentication, document review, or transaction confirmation, but its effectiveness depends on timing. In identity and cybersecurity workflows, good friction placement aligns the challenge with risk, user intent, and the value already established in the interaction. A check placed too early can create abandonment; a check placed too late can allow misuse to progress before it is stopped.

For NHI and agentic AI contexts, friction placement also matters when software entities request tools, tokens, or elevated permissions. A verification point should appear at the moment of meaningful risk, not only at login. That may mean introducing approval before token minting, before privileged action execution, or before a high-impact change to a workflow. NIST guidance on control selection and implementation in NIST SP 800-53 Rev 5 Security and Privacy Controls supports this kind of risk-based control placement. The most common misapplication is adding friction at the start of a journey when the actual abuse point is later in the workflow, which occurs when teams design around policy preference instead of the attacker’s path.

Examples and Use Cases

Implementing friction placement rigorously often introduces a tradeoff between user convenience and control strength, requiring organisations to balance completion rates against the cost of delayed or failed abuse detection.

  • Adding step-up authentication when a user attempts a payout increase after already completing standard onboarding and profile updates.
  • Requesting additional proof only after a claimant has submitted a full application, rather than interrupting the process before any context is established.
  • Requiring manager approval before an AI agent can use a privileged API key to modify records, rather than prompting at routine startup.
  • Triggering document verification after a user selects a high-value service tier, where intent is clearer and false positives are less disruptive.
  • Placing a warning and confirmation step before a privileged action in a delegated workflow, instead of relying only on the initial authentication event.

This logic maps closely to modern access and assurance thinking in frameworks such as NIST SP 800-63 Digital Identity Guidelines, where assurance should match the sensitivity of the action, not just the fact that someone signed in. It also intersects with NHI governance when machine identities are issued credentials that can be reused across systems. In those cases, the best friction point is often just before issuance, reuse, or privilege elevation, not at the point of initial registration.

Why It Matters for Security Teams

Security teams need to understand friction placement because poorly timed controls can create either user drop-off or attacker freedom. A challenge placed too early may be bypassed through user fatigue, while a challenge placed too late may fail to stop fraud, privilege misuse, or automated abuse. The right placement helps teams preserve business flow while still interrupting high-risk actions with meaningful proof.

For identity, NHI, and agentic AI programs, this concept is especially important because the “user” may be a human, a service account, a token, or an autonomous agent. A control that is effective for a person may be ineffective for a software entity unless it is positioned around credential use, secret access, or tool invocation. That is why friction placement should be reviewed alongside access policy, workflow design, and privilege boundaries, not as a standalone UX decision. Organisations also need to consider where verification can be reused, where it must be repeated, and where escalation should trigger logging or approval.

NIST SP 800-207 Zero Trust Architecture reinforces the broader principle that trust should be evaluated at the point of access and action, not assumed from a prior event. Organisations typically encounter the real cost of poor friction placement only after fraud, account takeover, or agent misuse has already advanced deep into the workflow, at which point the placement of verification becomes operationally unavoidable to fix.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Access controls should be placed where risk changes, not only at initial sign-in.
NIST SP 800-63AAL2Assurance levels help decide when additional proof is needed for a transaction.
NIST Zero Trust (SP 800-207)IAZero Trust validates each request, supporting action-level friction placement.
OWASP Non-Human Identity Top 10NHI-credential-lifecycleNHI guidance emphasizes controlling when machine identities obtain and use credentials.
OWASP Agentic AI Top 10agent-tool-useAgentic AI guidance highlights gating tool calls and escalations with suitable approvals.

Insert verification at high-risk action points and review whether access checkpoints match threat exposure.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org