The operational burden that legitimate users feel when security controls slow down normal work. When friction is too high, users tend to bypass controls, seek shortcuts, or create parallel access paths, turning usability failure into a governance and risk problem.
Expanded Definition
Security friction is the amount of resistance a legitimate user experiences when a control adds steps, approvals, time delays, or context switching to ordinary work. In NHI and IAM programs, it is not inherently bad. Some friction is intentional, such as MFA prompts, approval workflows, vault checkout, or short-lived credentials, and it can reduce misuse and exposure. The design problem is balance: too little friction can leave secrets exposed, while too much friction drives shadow workflows, shared accounts, and bypass behaviour.
Definitions vary across vendors, but in practice security friction is best understood as an operational property of a control, not a control type. It is closely related to usability, entitlement design, and policy enforcement quality, and it should be measured against task criticality rather than treated as a universal nuisance. NIST’s NIST Cybersecurity Framework 2.0 reinforces the need to align safeguards with business operations so that protection does not become a barrier to adoption.
The most common misapplication is assuming all user complaints indicate overcontrol, when the real issue is often poorly designed access paths, slow approvals, or repetitive reauthentication that pushes teams toward unsafe shortcuts.
Examples and Use Cases
Implementing security friction rigorously often introduces operational delay, requiring organisations to weigh stronger control over high-risk actions against the cost of slower delivery and more user resistance.
- A developer must request temporary vault access for every deployment, which improves control over secrets but can cause teams to cache tokens in tickets or chat tools if the request flow is too slow.
- An AI agent is forced through a human approval step before calling a production API, reducing blast radius while also creating pressure for teams to bypass the approval in urgent cases.
- A service account rotates credentials automatically, but downstream systems still depend on manual reconfiguration, creating friction that may lead to long-lived exceptions.
- Security teams publish guidance in the Ultimate Guide to NHIs on how rotation, vaulting, and offboarding reduce friction over time by making secure paths the easiest paths.
- Standards such as NIST Cybersecurity Framework 2.0 encourage organisations to tune protection to operational reality rather than force one rigid workflow across all identities.
In identity-heavy environments, some friction is deliberate and useful, but it should be concentrated around privileged or sensitive actions, not every routine request.
Why It Matters in NHI Security
Security friction matters because NHIs scale faster than human oversight. NHI Mgmt Group research in the Ultimate Guide to NHIs reports that 97% of NHIs carry excessive privileges and 71% are not rotated within recommended time frames, conditions that often arise when the secure path is too slow or too hard to use. When teams cannot complete a task quickly through approved controls, they create parallel access paths, hardcode secrets, or reuse tokens, which turns an experience problem into an exposure problem.
That dynamic is especially dangerous in agentic systems, where an CISA secure AI system development mindset pushes organisations to constrain tool access without breaking legitimate automation. The goal is not zero friction. It is to ensure friction is proportional, visible, and justified by risk. Practitioners should treat recurring complaints about approvals, secret retrieval, or token renewal as signals that policy design is misaligned with actual workflow.
Organisations typically encounter the operational cost of security friction only after users begin bypassing controls at scale, at which point the friction itself has become a governance incident that must be addressed.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Friction often causes secret sprawl and unsafe workarounds. |
| NIST CSF 2.0 | PR.AC-1 | Access control should support operations without driving bypass behavior. |
| CSA MAESTRO | Agentic AI governance must balance safety gates with execution reliability. |
Reduce control friction by making approved secret handling the fastest usable path.
Related resources from NHI Mgmt Group
- How should security teams implement zero trust authentication without adding too much user friction?
- How should security teams replace traditional MFA without creating new access friction?
- When does authentication friction become a security problem?
- How should security teams reduce phishing risk in MFA without creating more user friction?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
