The buyer's journey
CIAM pain points.
CIAM decisions are made at the walls: the places homegrown and legacy systems break and force an evaluation. This is the landscape as buyers actually experience it, in three phases, with each pain mapped to the vendor capabilities that solve it.
Build your evaluation checklist
Pick the pain points you face and get a deduplicated, phase-grouped list of the exact questions to ask vendors. Copy, download, or share.
Evaluation
3 pain pointsBefore a contract: underestimating identity, opaque pricing, and parsing vendors who all claim the same things while four stakeholders hold veto power.
Pricing opacity: the SSO tax and the MAU trap
MAU-based pricing punishes exactly the businesses CIAM is for, and feature gating pushes SSO, advanced MFA, and audit logs into enterprise tiers. The quoted price and the real price diverge sharply once security requirements are on the table.
engineeringproductlegal
The build-vs-buy trap: identity is bigger than it looks
Engineering leadership consistently underestimates identity. Login looks like a two-week feature until the unhappy paths appear, and by the time teams reach a CIAM vendor a homegrown system has usually accumulated years of technical debt.
engineeringproduct
Vendor differentiation and the four-veto evaluation
Every vendor claims passwordless, orchestration, and fraud protection, so real differences only surface in expensive POCs. Meanwhile four stakeholders with veto power (marketing, security, legal, product) stretch evaluations to 6-12 months.
engineeringsecuritymarketinglegalproduct
Deployment
5 pain pointsThe build itself: migrating millions of users, unifying fragmented identities, standing up multi-brand and multi-tenant models, and wiring identity into everything.
B2B multi-tenancy: the edge cases bolted-on models miss
For B2B and B2B2C companies, multi-tenancy is its own category of pain: organization modeling, per-tenant SSO with each customer's IdP, SCIM provisioning, delegated administration, and invitation flows. Many platforms bolted these on after being built B2C-first, and it shows in the edge cases.
engineeringproductsecurity
Identity unification and deduplication as a program
Almost every enterprise arrives with the same human split across an email signup, a social login, a phone-number loyalty account, and a guest-checkout record. Deduplication is not a technical problem, it is a policy problem, and security holds veto power over the matching rules marketing wants.
engineeringsecuritymarketinglegal
Integration sprawl and the single customer view that wasn't scoped
The CIAM platform has to speak to legacy apps that predate OIDC, marketing stacks, fraud tools, and support systems. The identity data model rarely matches what is scattered across CRM and marketing databases, so the promised single customer view becomes a data-engineering project the vendor did not scope.
engineeringmarketing
Migrating millions of users without losing them
User migration is the single most feared deployment workstream. Password hashes arrive in incompatible or unknown formats, and the choice between bulk import (which forces resets and kills 10-30 percent of dormant accounts) and lazy migration (two systems in parallel for months) has no painless option.
engineeringsecurity
Multi-brand rollout: the scenario that breaks architectures
Vendors default tenancy models rarely match brand reality. Shared identity helps cross-sell but forces per-brand consent partitions and GDPR purpose-limitation; separate identity stays clean but doubles operational load. Most large companies land on a hub model whose execution depends on unglamorous capabilities.
engineeringmarketinglegalproduct
Operation
4 pain pointsOnce live: the friction-versus-security dial, scaling the directory under peak load, lifecycle and deletion cascades, and AI agents acting on behalf of users.
AI agents authenticating on behalf of customers
AI agents authenticating on behalf of customers are a pressure current CIAM consent and session models were not designed for. An agent acting for a user needs scoped, attenuated identity distinct from the user's own session, with an audit trail that separates agent actions from human ones.
engineeringsecuritylegal
Lifecycle management: dormancy, deletion, and the cascade
Tens of millions of dormant accounts are a credential-stuffing surface and an inflated MAU bill. GDPR and CCPA deletion sounds simple until it has to cascade across the CIAM store, the CDP, the warehouse, and support tooling, which is what makes the deletion-webhook and event layer core rather than an add-on.
engineeringsecuritylegal
Scaling the user directory itself
The user store stops being a table and becomes a system. Sub-100ms global authentication, admin search across users, and bulk operations all break at once, and peak events produce 50-100x baseline login traffic on a path you cannot CDN. Rate limits are the hidden constraint.
engineering
The friction-versus-security dial that never stops moving
Every added authentication step measurably drops conversion, so MFA adoption stalls, while credential stuffing and bot-driven account takeover push in the other direction. The dial never settles, and passkey rollout reintroduces phishable fallback paths it was meant to eliminate.
securitymarketingproduct
How the mapping works
Every pain point names the exact questions to put to vendors and maps to specific columns of the capability matrix. Each pain page renders a scoped comparison of the vendors that cover those capabilities, so you evaluate on the axes that decide this problem, not a feature checklist. Pair it with the full vendor index, the vendor selector, and the methodology.