Why Access Should Evolve as Fast as Your Business Does

This entry was posted in Access Management Cybersecurity Guest Contributor and tagged Thales on by

Business doesn’t stand still, and neither should access.

Modern enterprises don’t just rely on employees; they depend on suppliers, distributors, brokers, and partners — all of them are third-party identities needing access to critical systems. These relationships are fluid: teams form and disband, roles shift, projects start and stop. Static identity systems can’t keep pace with that reality.

Access must keep pace.

The 2025 Thales Digital Trust Index Third-Party Edition confirms this shift. It shows that slow, inflexible access processes are not just operational bottlenecks. They undermine trust, delay productivity, and create unnecessary risk.

Most identity systems were designed for stability, but today, agility and adaptability matter more.

Access Is a Lifecycle, Not an Event

Access should not happen once, at onboarding, and then gets forgotten. It needs to evolve. 

Joiners need fast, clear onboarding. Movers need timely changes to access. Leavers need prompt deprovisioning. Yet the report shows that this lifecycle is often broken.

  • Over half (51%) of users keep access after they no longer need it.
  • The average time to revoke access is 5.2 business days.
  • Users report retaining access to 2.3 systems beyond necessity.

When systems lag behind reality, you create exposure. Not from attackers so much as from inertia.

The Reality: Access Still Lags Behind

Access doesn’t always match the pace of business. 31% of third-party users wait more than one business day just to get started. That’s a lost day before work begins.

Worse, the experience remains painfully long after onboarding.

  • 96% of users face login issues with partner systems.
  • 47% lose time weekly, dealing with authentication or access problems.
  • The average time wasted per user is 48 minutes per month.

These inefficiencies are avoidable, but they persist because organizations still rely on outdated technologies and processes that cannot address today’s and future risks.

Access Misalignment During Role Changes

When a user’s role changes, access should change with it. In practice, it often does not.

Only 48% of users receive all the permissions they need after a role shift. For the rest, access remains misaligned, creating inefficiency and requiring repeated requests.

35% of users take two to seven days to modify access when responsibilities shift. That’s up to a week of misalignment. This delay slows work, creates repeated access requests, and frustrates external users..

This lag is no longer acceptable.

Authentication Is Part of the Problem

About 58% still use SMS one-time passwords, which many standards bodies have deprecated due to known vulnerabilities. Another 10% rely only on username and password. Biometrics, physical tokens, and passkeys are in use, but application is inconsistent.

Authentication should never be a barrier; it should enable work. Passwordless approaches, especially passkeys, reduce reset burden and phishing risk while lowering login friction.

Inconsistent authentication increases login issues. Poor experience reduces engagement. This results in users abandoning systems, bypassing controls, or working offline. Many users report weekly disruptions, with an average of 48 minutes lost per month.

A dynamic, risk-aware approach that favors passwordless, phishing-resistant methods such as passkeys, applied consistently across systems, supports both security and usability.

Trust Demands Real-Time Control

The report makes one clear point: trust is earned through transparency, consistency, and control.

  • Nearly two-thirds (61%) of businesses struggle to track access across external partners.
  • More than half (56%) are only somewhat confident that a partner would disclose a breach.
  • A staggering 86% identified at least one area of partner access management that requires improvement.

These are not isolated instances but symptoms of systems that have not evolved.

Why Executives Should Care

Yes, this is an IT issue, but it’s a business one, too.

Inflexible access policies hurt margins. They delay revenue. They stretch internal support. Delays in onboarding, recurring password resets, and outdated permissions become recurring costs..

40% of users reset passwords once or twice a month. Multiply that across your partner ecosystem, and the support costs are significant.

These  avoidable losses are borne out of poor identity management practices, not complexity.

How We Define Third-Party Access Done Right

To enable modern B2B partnerships, organizations need identity systems that are:

  • Dynamic – change access in real time as roles shift
  • Delegated – empower partners to manage access within boundaries
  • Auditable – provide end-to-end oversight of who has access to what, why, and for how long
  • Consistent — phishing-resistant authentication and appropriate identity verification

While some may think this means adding more and more layers, it’s really about removing friction.

Delegated User Management is one model gaining traction. It allows partner managers to handle access for their own users, while the host retains control. It improves speed and reduces internal overhead. Crucially, it aligns access with reality.

What You Should Do Now

  1. Map the lifecycle to understand where delays happen across joiners, movers, and leavers.
  2. Automate provisioning and deprovisioning, and remove reliance on manual workarounds and spreadsheets.
  3. Enable delegated management to empower business units or partners to manage access within limits.
  4. Unify authentication by applying consistent, secure methods that don’t burden the user.
  5. Audit continuously and monitor access and permissions in real time.

The tools are already here. What’s needed is prioritization.

Make Third-Party Access Timely and Transparent

Your business moves fast. Your people move fast. Your partners move fast; access should, too.

Stale identity systems are no longer fit for purpose. They slow down deals, introduce risk, and damage the trust that holds digital business together.

Treat access speed and clarity as part of the user experience as well as security.

Your access policies are a reflection of your operating model. If they’re slow, inconsistent, or outdated, your partners will notice, and so will your bottom line. Policies and workflows should be simple, consistent, and measurable. Track time to first access, time to change, and time to revoke.

The systems we build should reflect the way we work, and the way we work is always changing.

Jose Caso, B2B IAM at Thales, is a seasoned product professional with over 15 years of experience in software development, product management, and product marketing. He specializes in aligning technical and business goals to deliver solutions that meet evolving client needs. With a background spanning physical security, cybersecurity, and enterprise solutions, Jose focuses on driving innovation that keeps businesses competitive in a dynamic market.

.

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information. BSM is cited as one of Feedspot’s top 10 cybersecurity magazines.