Congrats—you got the green light to move forward with improving identity access management (IAM). While you realize this is great news for your organization’s security, that initial excitement can quickly turn into unease as you face the next hurdle in your security quest: implementation.
According to Cisco Duo’s 2025 State of Identity Security, 82% of financial decision-makers have increased their identity security budget. That means many enterprises now have the backing to roll out initiatives to upgrade IAM—a security framework that controls who can access which systems, data, and applications within an organization.
However, the implementation process can be either smooth or full of obstacles. Without proper planning, organizations may face challenges, says Chris Anderson, Product CTO at Cisco Duo.
“One of the biggest barriers is going to be your environment,” Anderson explains. “What type of applications do you have? How are users logging into them? Are they web-based or are they not? Do they use legacy protocols that may not support phishing-resistant authentication today? Are your users prepared? Is your help desk prepared?”
With the right preparation, these challenges are surmountable. Here are the best practices to follow for a successful IAM implementation.
4 solutions to IAM implementation challenges
1. Thinking poor user experience is inevitable
Challenge:
Your users are frustrated by a complex or confusing login process, which leads to dangerous workarounds, complaints, and more help desk tickets.
Solution:
Matt Caulfield, VP of Product, Identity, at Cisco, says many organizations struggle with the tension between security and user experience.
“IT is trying to provide the tools employees need as fast as possible to make them productive,” he said. “Security, meanwhile, needs to provide enough constraints so that people don’t shoot themselves in the foot and that attackers can’t just come in the front door.”
Caulfield suggests prioritizing the user experience by using intuitive, low-friction authentication, such as Duo Single Sign-On (SSO). It provides a single login for all a user’s apps. With a proximity-based verification method, the organization also benefits from high-assurance, phishing-resistant multi-factor authentication (MFA) without having to deploy, manage, or use hardware tokens, saving their users and admins a ton of headaches.
2. Rolling out without sufficient testing
Challenge:
Rushing deployment without conducting adequate testing can cause access issues, disrupt workflows, or introduce configuration errors.
Solution:
Anderson advises that while passwordless and phishing-resistant authentication is where you want to get to, it is not an overnight success. “It’s going to take a journey. Not every user in your organization will be ready for it. They’re not going to have all the devices available to take advantage of it day one,” he said.
Conduct staged rollouts and validate settings before expanding organization-wide. Consider using an IAM solution that offers a free trial with no purchase minimums and no lengthy, confusing contracts. Start with a pilot group of users and a policy engine that allows for the gradual rollout of features. This approach will help you identify potential issues, refine them as needed, and then launch once the system is stable.
3. Overlooking device health
Challenge:
A lack of visibility and control from trying to maintain trusted devices, enabling or preventing BYOD, and having only a snapshot of which devices are out-of-date or vulnerable to exploits.
Solution:
“We believe that you can’t protect what you can’t see,” Caulfield cautions. Avoid hidden security gaps that attackers can exploit by implementing an IAM solution that considers device trust and security posture before allowing access. You’ll benefit from seeing which devices people are logging in from without deploying any device managers. Make sure to set up your policies accordingly, like automatically blocking access until a user updates their OS with the latest security patch.
Keep an eye on every device in your network with Cisco Duo Device Trust. It verifies that a device is secure before allowing it to connect to a network, giving you real-time visibility to spot vulnerabilities.
4. Forgetting ongoing governance
Challenge:
If not kept in check, privilege creep and policy drift can quickly erode access control over time.
Solution:
Establish continuous monitoring, regular reviews, and automated governance to keep access aligned with organizational needs. A strong policy recommendation engine can decrease the load on your admins to customize configuration improvements.
Anderson says traditional approaches to identity security start with identity and then bolt on additional layers of security and governance.
“Our policy stack is not bolted on but is ingrained in the product from the get-go to eliminate as many gaps that occur as possible,” Anderson said, referring to Cisco Duo.
Take advantage of granular policy-setting to automate access controls and get answers to queries quickly with a powerful AI Assistant built into the administrative dashboard.
Turn implementation unease into ease with Cisco Duo
Cisco Duo provides the structure and planning to keep your IAM implementation on track. With identity support and pre-deployment planning guides covering app inventory, access group mapping, and identity source alignment, you can prepare for a smooth and successful implementation.
Ready to see how Cisco Duo can simplify your implementation? Try Cisco Duo for free with a 30-day trial.
