4 Apr, 2023 | 3 min read

CIAM Beyond Access Management - Is Your CIAM Program There Yet?

  • Geethika Cooray
  • Vice President & Head of the IAM BU - WSO2

How mature is your CIAM program today, and how do you aspire to evolve it? We talk with many existing and prospective CIAM customers and have found a fairly rapid evolution in maturity over the last year. In fact, we’ve developed the WSO2 CIAM Maturity Model to discuss the various levels of maturity we see across the market. 

So what level do you think your organization is at currently, and how can you strive for an optimized level of maturity? This article will shed some light on what leading customer-first organizations are currently accomplishing, which starts with thinking beyond access management. 

What challenges are organizations facing with their CX initiatives?

As a vendor that specializes in integration and customer identity and access management (CIAM), we tend to engage with organizations that are transforming their digital experiences. They are striving to provide unified, multi-application experiences. The following are typical challenges they are trying to address:

  • Streamline user onboarding
  • Reduce friction during the registration and login process
  • Provide unified authentication across channels
  • Manage identities and authentication for external B2B applications

Most requirements organizations identify are focused on capabilities that simplify the user registration and login process for customers. Customers can be consumers (B2C), citizens (G2C), or enterprise partners that administer their own customers (B2B). To the extent organizations strive to treat their workforce as they would treat consumers, the workforce could also be included as a customer (B2E). Traditional CIAM requirements to simplify registration and login include things like SSO, MFA, social login, and consent management, all of which are important but restricted to access management or access control. Essentially, it’s all about seamlessly letting ‘good customers’ in while keeping the ‘bad customers’ out. An important and evolving requirement here revolves around consent and privacy requirements. Regulatory requirements can vary by geography, but organizations generally understand that they need to enable their customers to control data collection, retention, and processing. Successful organizations require the minimal amount of personal information at the beginning of a customer relationship (for example, pre-registration and onboarding) and then use progressive profiling to ask for more information as the customer onboards and then eventually consumes more services. Progressive profiling minimizes customer friction and also reduces the risk to the organization of holding unneeded customer data.

Reviewing analyst research that gives advice to customers evaluating vendor CIAM solutions validates my view that most requirements today are limited to access management. With the current exception of B2B (where many vendor products fall short), most CIAM vendors do an adequate job of meeting all of the simple use cases to simplify registration and login. Because it represents the current state of most solutions in the industry, we call this basic level of access management-focused CIAM as CIAM 1.0. WSO2’s ‘Secret Sauce’ shines in two key areas at this level of maturity. Firstly, we offer the most robust and comprehensive B2B capabilities available. Secondly, we provide developers with the SDKs, APIs, agents, and toolkits needed to achieve quick results, ensuring a speedy time to market.

CIAM is evolving to provide a unified view of the customer

Leading customer-centric organizations want to move beyond the basics to deliver a truly secure and personalized experience to their customers. Speaking with business leaders and WSO2 customers that are thought leaders over the last year, we know that organizations have the desire to move beyond delivering the traditional CIAM requirements that focus only on security to delivering a richer, more personalized experience for customers, across multiple touch points. These organizations don’t want to marginalize their good customers by forcing strict and multiple security measures on them, but rather identify and analyze the risk posed given the context and adjust the security measures dynamically to mitigate the potential risk. The bottom line is, let’s not treat our customers like criminals.

Competition is fierce, and it’s never been easier for people to change providers on the basis of a poor digital interaction with a brand. To set themselves apart, organizations need to make their websites and mobile apps more engaging, personalized, and meaningful for users. Achieving this goes beyond simply gathering information; it involves intelligent use of it to improve digital experiences. This includes enabling multi-experience applications to provide a unified experience across all the various customer touch points. Customer touch points can include web and mobile apps, call centers and in-person experiences, kiosks, devices, APIs, and more, depending on the environment. This is the first step to going beyond access management - creating unified multi experience applications. However, for some businesses, this is a complex undertaking as they may have multiple web and mobile apps that vary by geography, business unit, department, B2B partner, and more.

The next challenge is to break down the individual data silos that only have partial knowledge of a customer’s activity to create a unified view of customer identity. The unified customer view must be integrated into not only all customer touch points but also a variety of complex business systems that can help deliver a personalized CX. These systems could be based on legacy technologies or follow the latest cloud standards. Examples of these systems go beyond the obvious sales and marketing systems, to include a variety of business apps, directories, and other systems of record. It’s easy for a CIAM vendor to try and check this integration box by touting a few connectors to sales and marketing systems, but the reality is that most environments are more complex than just that, and more comprehensive API management and integration capabilities are needed here. Given WSO2’s focus on both integration and CIAM, we are in a unique position to offer a single-vendor solution to accomplish the most complicated CIAM and integration projects.

Industry leaders such as Hard Rock are already offering a comprehensive, secure, and personalized experience to their patrons using WSO2 as a foundation. To do that required overcoming an incredible amount of complexity. More than a mere few connectors to sales and marketing systems, Hard Rock needed to consolidate 10 different loyalty programs into one, and this required over 100 integrations to various customer-facing and back office business systems.

WSO2 provides developers and internal business users with the service orchestration and integration capabilities they need to extend CIAM to include business system and device integration and advance to the next level of CIAM, which goes beyond simple access management capabilities. Since this level of personalization represents current best practices that are only being accomplished by a select few, we call this CIAM 2.0.

What’s in the immediate future for CIAM?

While CIAM 1.0 solutions can provide the core security functions needed for a solid user experience, CIAM 2.0 builds on this by unifying and integrating identity information from many silos to establish a comprehensive personality profile of a customer’s preferences, activity history, and other patterns. This enables business leaders to offer incentives, cross-selling and up-selling, and an overall personalized experience based on a holistic view of each individual. The combination of identity information and personality information creates what we call a “digital double”—a holistic digital representation of a customer. The digital double can be leveraged through machine learning and AI to create real-time and predictive services via APIs, feeding multi-experience applications with the relevant information needed to offer the ultimate secure and personalized experience in real-time to delight customers. Since this level is largely aspirational for all but a few organizations, we call it CIAM 3.0. As a vendor that focuses on CIAM and integration, it is our intention to support organizations wherever they are in the evolution of their CIAM initiative.

Key considerations to consider


Wherever you are on your CIAM journey, you need to keep a few key factors in mind. As you move towards offering a more personalized experience for your customers, obtaining their consent is paramount. Customers need to opt-in to you gathering their identity and personality experience so that you can deliver personalized experiences that delight them. Ultimately, it’s up to the end customer to decide whether an organization can track their identity and personality information in order to enhance their experience. At WSO2, we are excited about emerging concepts such as decentralized and self-sovereign identity that will empower customers to share only the information necessary to optimize their experience while also protecting their privacy.


Snippets of identity and personality information, if not unified to create a digital double, will limit the extent to which you can offer personalization. However, this can only be done with the customer’s full consent and a robust CIAM and integration platform. By doing so, you will be able to develop more context and predictive capabilities, enabling you to provide a more personalized experience that will delight your customers. But the scope of this comprehensive context is limited to identity and personality information directly related to the customer’s use of your products and services.


Artificial intelligence will be critical to getting the most out of your CIAM and CX initiatives. Emerging technologies such as ChatGPT and Google Bard are demonstrating the power of AI and will soon bring its use into the mainstream. It’s important that your CIAM platform utilizes AI to provide automated, real-time, and predictive personalization at the API level.

So where is your current CIAM initiative and where are you headed?

CIAM 1.0, 2.0, and 3.0 can all be accomplished with the right platform or with enough internal development to customize solutions that don’t quite offer comprehensive capabilities. Our experience working with customers at different levels of CIAM maturity has shown that although the majority of the market still focuses on the access management aspects of CIAM, some forward-thinking organizations have already progressed beyond these basics. Regardless of where you are in your journey, WSO2 offers a robust platform that is likely to significantly reduce your development costs and minimize the risks associated with continuously having to evolve your CIAM solution to keep up with the latest standards and trends.