A holistic approach to CIAM: balancing security and user experience
IT Architecture
Product & Delivery
Establishing a user’s identity and access rights is a fundamental capability of any IT system — underpinning secure permissions, reliable records, and optimising user experience. In this blog, Paul Crisp, a Senior Enterprise Architect at Opencast, explores the importance of bringing a holistic service design mindset to Customer Identification and Access Management (CIAM).
CIAM is a key part of every IT solution. Beyond establishing your identity and role — who you are and what you’re allowed to do — solutions usually encompass assessing where you are (location), what you usually do (typical user journeys) and what means of access you are using. Combined with live reporting and fraud monitoring, they provide a secure, vigilant, rules-based front door to digital services.
Key issues and challenges
From decades of working in Government on major digital transformation programmes, I've seen first-hand the importance of bringing a holistic mindset — understanding problems end-to-end across architecture, service design and the full range of users a solution serves. More recently, I worked in the CIAM space in a new area of Government, and it struck me how vital this end-to-end mindset is — but how often it is still undervalued.
Modernising while maintaining the service
One of the principal problems any organisation faces is keeping services available while modernising, and ensuring that any transition does not leave back doors into the organisation, or accidentally create situations in which call centre agents (real or virtual) are overwhelmed by processes put in place to cover gaps. This is particularly true of organisations with heavily used legacy systems. We have to enhance existing data and technology to achieve optimal security and user journeys, while meeting long standing obligations and expectations and ensuring clear ownership of the evolving process.
Avoiding CIAM falling through the cracks
In a world of competing budgets and projects, CIAM can look like an overhead that gets shunted around between overlapping programmes of work or dumped onto an in-life service team to sort out. But, in fact, when done properly, it unlocks everything else and is usually the first point at which customers encounter an organisation — critical from a user experience perspective. It is a key cross-cutting issue and can therefore be a huge blocker across many strands of work.
Keeping pace with CIAM issues
Professionals in this space have a lot to think about. Modern CIAM issues centre around managing sophisticated AI-driven threats and the explosion of non-human identities (bots, agents). This leads to an increased focus on passwordless authentication, granular permissions, continuous monitoring, identity fabrics, and AI-powered governance to combat account takeovers and deepfakes, all while navigating global data regulations.
Tackling these challenges:
Starting with a user-centred approach
User experience on any service is critical — the CIAM floor is genuinely moving under our feet. Across Government organisations, CIAM is a critical component of so many services, and many have a long ‘tail’ of older customers used to letters and Post Office counters or a friendly voice in a call centre, who now face a very different (and in their eyes far more complex) front door as CIAM becomes increasingly sophisticated. Being able to balance a seamless user experience with robust Zero Trust security is where service design and security professionals need to be able to work in true partnership.
Bringing a service design mindset
Bringing a holistic service design mindset to CIAM is critical — it helps ensure that users aren’t locked out by decisions we make, that we don’t introduce simple workarounds that undermine our new infrastructure to help legacy users, and that other programmes don’t grind to a halt waiting for us — a complex juggling act. A critical factor is also ensuring that we don’t overlook internal stakeholders. In-life teams, call centre agents, developers, and project managers are users too. In a managed service they may be anywhere in the world and their skills are essential.
Keeping pace with new and evolving requirements
While the rise of new and evolving threats in the CIAM space is alarming and highly prevalent, the exciting and reassuring part is that there are a range of new solutions to tackle them — from passwordless and phishing-resistant authentication to agentic identity frameworks, identity fabric, and AI-driven real-time risk detection, decision-making, and automated access governance.
Conclusion
In essence, 2026 CIAM is becoming more complex but also more interesting — moving beyond static passwords to dynamic, potentially AI-aware multi-factor identity security that protects human and machine identities across complex digital ecosystems. This is much more complex than what we have been used to, but also supports much richer and more secure interactions. This is why proper user-centricity and service design should be brought to bear from all the perspectives within the organisation as it transforms — from the people fixing the legacy data to the service teams and, more than ever, the customer who might simply give up and take their business elsewhere if the journey is too complex.
OpenPerspectives is our platform for Opencast people to share their thoughts and perspectives on modern digital delivery. It offers practical insight into user-centred design, engineering excellence, product leadership, data-driven decision making and building expert capabilities, grounded in real-world experience.
