IAM is More Than Just Login

• Scale - volume, throughput, usage

• Complexity - security, usability, privacy and personalisation

• Flexibility and modularity

Identity and Access Management (IAM) is more than just the login box. Whilst that is the first thing many customers and citizens encounter when they attempt to access a downstream system or application, the underlying capabilities and skills required to build such an authentication flow are clearly more complicated than that. In addition, authentication is only ever part of a broader set of requirements that span the entire end to end life-cycle of an identity - from acquisition and on-boarding to storage, session management, privacy and robust access control.

The counter point of course, is that you can go faster on your own, but further in a crowd and in some respects that applies perfectly to IAM platforms. Whilst many initiatives often start with minimal IAM requirements, they can rapidly morph into a sprawling mix of security, data, scale and privacy needs. At first glance the initial signup and sign-in flows seem like easy candidates for self-build and DIY initiatives but will soon run into scale and complexity challenges.

Scale is not just associated with the volume of identities from a storage point of view though - we need to also consider concepts such a throughput - which is likely to be non-linear and elasticity. By this I mean there is a certain level of uncertainty and uncontrollability in B2C and even B2B2x environments where throughput for both signup and sign-in can vary hugely during particular external events - such as competitions, marketing campaigns or government deadlines. A more recent amplification of scale requirements comes in the form of NHI and agentic identity - where volume of identities and transaction rates for things like authorization enforcement are considerably higher than traditional environments.

From a feature requirements perspective too, we also see several conflicts - the classic security versus usability aspect and also personalisation versus privacy - which can be complex to solve with homegrown and DIY solutions.

Secure, Usable and Privacy Enabling

• Evolving Threats and Standards

• Compliance and Consent

Supporting both a usable and secure, compliant and omni-channel experience that empowers and attracts end users requires a blended approach of many different options.

Building that for one application or service is possible - but a strategic view of IAM requires that to be completed for all systems and services, in a repeatable and cost effective manner. This latter point is becoming increasingly important - as poor experiences certainly impact sign up and in turn revenue generation - and combining that with the personnel costs of home grown solutions can result in a significant negative cost situation.

The impact of strategically supporting a usable experience across multiple applications, sites and brands is complex. It requires a deep understanding of end user types and preferences, subtle differences in localization and age-related patterns of usage as well as supporting a variety of options for authentication, signup, transaction processing and content management. Whilst some of those signals are controllable, the security aspect may not be.

B2C identity introduces considerably more uncontrollable elements than workforce identity. Not only are volume, growth and throughput often difficult to estimate, external threats and changes in the tactics, techniques and procedures (TTPs) used by adversaries changes constantly. Traditional ways of approaching external facing sites was to build first and test last - as seen with the classic pen-test way of performing periodic validation of external facing components.

This has evolved hugely in the past decade and the advent of AI-centric continuous testing can allow development teams to build security in from the start, with code and dataflow analysis allowing immediate comparison to compliance requirements and the organisational risk posture.

The constantly evolving threat landscape is only one aspect of the many uncontrollable aspects of B2C and B2C IAM development. Standards such as OAuth2, OIDC, SCIM, FIDO and more lately AI related MCP and AgentAuth whilst mature in many respects have numerous profiles and implementation patterns that do change and require adherence to. With a specific focus on AI, more recent design patterns focused upon harness engineering and plugin-development is a good example where solution emergence often occurs faster than operational design.

Open standards provide numerous benefits including improved interoperability, simpler design and threat modelling, and knowledge economies of scale with respect to repeatable integration options. However, attempting to conform to open standards in-house requires both deep specification and also time and effort with respect to tracking, understanding and often participating in standards groups.

What Production Platforms Enable

• Managing Uncertainty

• Future Proofing - Building for AI and Beyond

Uncertainty in both technology evolution and B2C identity environments cannot be avoided or removed - but it can be managed. A core benefit of a production IAM platform is that it can cloak both the business and technical change that is constantly occurring. Changes in scale, standards, application integration requirements or privacy enablement are not one-off periodic considerations that would historically have been managed by long-tail Waterfall methodologies for development. They need to be handled not in a periodic way, but in a more continuous and iterative manner - by the selection of composable capabilities as and when they are needed.

A production IAM platform like Ory supports a modular and customizable deployment model. This deployment model must support a range of options as the modern enterprise must contend with a growing number of application locations - from on-premises and virtual, to SaaS or API-only delivery. But that is only one aspect of the matrix - as the consumable capabilities such as user storage, federation, signup or sign-in features must also be available both in a modular fashion and a range of integration options.

A key concern of feature integration is the ability to future-proof and have a clear roadmap of new requirements. Emerging technologies and challenges with respect to non-human identity (NHI) and agentic-access management are two of those new road map items. Firstly these areas are still relatively nascent compared to design patterns for areas such as credential reset or MFA enrolment. The standards associated with them are either immature or non-existent - so building from scratch will likely lead to rip-and-replace steps in the future.

An example of this is recent extensions to the Ory platform to support API key management requirements. AI is intrinsically reliant upon data and that data is integrated via APIs. Traditional approaches to API access often relied upon hardcoded and static credentials with broad scoped access. Even though that is known to be an anti-pattern, many deployments follow such characteristics, namely due to an inability to deliver repeatable and composable solutions across numerous platforms and deployments. An externalised approach to this challenge is how production platforms like Ory can support technology evolution but also improve developer productivity. Capabilities such as short lived tokens, decentralized and distributed approaches to capability management (ie the Google Macaroons design pattern) provide a much more strategic approach.

A second aspect of the need for future-proofing also relates to AI. The gateway model of coarse grained API protection has been readily adopted for AI-world. However, with any complex technology, a broad array of security controls are needed, as is a desire to implement fine grained protection. The recent emergence of the harness-design pattern sees the ability to apply lifecycle controls via a plugin-architecture to the core LLM platforms. Ory supports such a model with the ability to restrict not only access to certain tools to AI actors (for example the Bash shell) but also restrict commands being executed within the tool itself - to helping to prevent the dreaded “rm -rf” force delete command in *nix. The ability to provide agent security across LLM platforms such as ChatGTP OpenAI or Anthropic’s Claude consistently is where a platform like Ory helps - with a range of npms:

• Claude Code — @ory/claude-code

• Gemini CLI — @ory/gemini-cli

• OpenAI Codex — @ory/codex

• OpenClaw — @ory/openclaw

• OpenCode —@ory/opencode

Benefits for Builders and Business

• Lets Builders Build Apps

• Lets the Business Grow

A final comment on benefits. IAM is becoming more complex than ever before. We have more identities, systems and requirements to support - across a more varied deployment ecosystem. As IAM becomes more measurable and impactful for areas such as revenue generation, usability and developer productivity, a production platform essentially allows app owners and builders to do what they do best: build systems and deliver value. Externalisation of many IAM functions has been happening over the past two decades, but we now see maturity across many capabilities that can be deployed in a modular and composable design pattern. Platforms like Ory are now seen as enablers for the builders on top of them, not merely libraries and SDKs.

A more fundamental aspect, is that if builders are building more effectively and efficiently, the business by design becomes more adept at responding to change (be that external competitive pressure or compliance) and in turn can deliver more personalised experiences and revenue.

About The Author

Simon Moffatt has over 25 years experience in IAM, cyber and identity security. He is founder of The Cyber Hut - a specialist research and advisory firm based out of the UK. He is author of CIAM Design Fundamentals and IAM at 2035: A Future Guide to Identity Security. He is a Fellow of the Chartered Institute of Information Security, a regular keynote speaker and a strategic advisor to entities in the public and private sectors.

Book Inquiry Call