Always‑on customer experience promises frictionless engagement at any moment, on any channel. But that promise rests on the fragile assumption that the business always knows who the customer is.
In practice, identity is often the first thing to break when systems come under stress.
During outages, traffic surges, fraud attacks, or data sync failures, customer identity resolution degrades quietly, and catastrophically. Journeys stall, customers are forced to re‑authenticate, and support queues spike, as security teams tighten controls just as customers lose patience.
That pressure is now being intensified by the growing use of AI agents to deliberately obscure or impersonate identities. They can increasingly behave like customers, moving fluidly across channels, devices and sessions, mutating signals just enough to stay plausible. The effect is identity erosion as legitimate customers get caught in the crossfire because machines have learned how to look convincingly human.
Many customer relationship management (CRM) and customer data platform (CDP) implementations, the systems meant to power seamless CX, were never designed to act as resilient identity backbones. But as enterprises push toward always‑on CX, identity is becoming a core component of operational resilience.
Why Identity Is the New CX Fault Line
Customer identity failures are becoming a measurable, systemic risk. Research shows that around 68 percent of users abandon identity checks because of a slow or failed process.
The cost is not just frustration. According to Salesforce, 88% of customers say the experience a company provides is as important as its products or services, yet nearly 61% say most companies treat them as a number, a gap that widens during incidents and peak demand.
Always‑on CX assumes continuity of context, state and trust. When identity resolution fails, that continuity collapses.
A series of digital banking outages in the UK in recent years offers a clear illustration of how identity failure can extend customer disruption long after systems are restored. According to findings from the House of Commons Treasury Committee, at least 158 banking IT failure incidents affected millions of customers’ ability to access and use services between January 2023 and February 2025.
While many of these incidents were initially related to mainframe processing issues, post‑incident investigations found that service recovery was frequently slowed by identity controls. Customers were unable to re‑authenticate, fraud systems escalated risk in response to abnormal login behaviour and identity records fell out of sync across mobile apps, online banking, and contact center platforms. Access became the limiting factor in the customer experience, turning short‑lived outages into prolonged trust‑eroding events.
Most identity failures happen because systems are optimized for steady state, not stress. For years, CRM and CDPs have been positioned as engines of personalization and orchestration. Increasingly, they are also being forced into a role they were never fully designed for, maintaining trusted identity continuity during moments of disruption.
In a recent CX Today discussion on AI‑driven cybersecurity risks to customer experience, panelists repeatedly returned to the same theme: identity breaks not just because of the sophistication of attacks but because of the scale.
“AI is making it so much easier and the volume is just increasing,” said Randy Layman, Chief Technology Officer at AVOXI.
“The tactics of most of the attackers are not changing very much. It’s just so much easier to do it. For the bulk of what we’re seeing, it’s volume—more and more and more.”
That volume overwhelms identity resolution. When CRM lookups slow, CDP identity graphs lag, or CIAM services degrade under load, systems default to uncertainty. Customers who were recognized moments ago are suddenly treated as strangers.
How Identity Breaks Under Pressure
As Karthikeyan Selvarajan, Security Architect at IBM puts it: “In many organizations, access reviews still rely on static data and spreadsheets that are approved without careful review. Without observability, security teams are enforcing policies without fully understanding real-world identity behavior.”
Scale and Latency Erode Confidence
Most enterprise identity architectures are optimized for steady‑state conditions. But under peak demand, real‑time identity resolution begins to fray.
“The first thing AI is doing is volume,” said Ron Zayas, CEO of Ironwall by Incogni. “The second thing it’s doing is incorporating more information. The more I know about you, the better I can go in.”
As systems struggle to reconcile signals in real time, identity confidence scores drop. The customer experiences this as the friction of repeated logins, step‑up authentication, or unexplained access denial.
Partial Data Loss Creates Identity Amnesia
Identity systems rarely fail cleanly. A consent flag drops, a device ID fails, or a sync between CRM and CIAM systems lags behind.
Without a persistent “last known good” identity state, organizations lose continuity mid‑journey. Customers are asked to prove who they are again, and again. Systems demand certainty from humans at exactly the moment machines have more context than people do.
Cross‑Channel Handoffs Break Identity Context
Always‑on CX depends on seamless transitions: digital to contact center, bot to human, self‑service to agent. But identity context often fails to follow. When CRM, CDP and CIAM systems aren’t tightly aligned, agents are forced to re‑verify customers during incidents, amplifying frustration and abandonment.
CRM vs CDP: Who Holds Identity Together?
CRM and CDPs play different roles in identity resilience.
CRMs remain the system of record for known customers and frontline workflows. But most depend on upstream identity services and real‑time availability. When CRM identity resolution falters, agents lose the context they need most.
CDPs excel at stitching fragmented signals from devices, behaviors and attributes into identity graphs. Many can maintain probabilistic confidence even when signals degrade. But CDPs typically infer identity rather than enforce it. Without tight operational integration, their insights don’t always influence real‑time CX decisions.
The missing layer is persistent identity state. Resilient CX requires intentional design around identity continuity that includes a shared identity graph across CRM, CDP and CIAM, explicit confidence thresholds and defined fallbacks when real‑time resolution fails. There should also be clear ownership of “trusted,” “suspect” and “unknown” states.
Identity must be treated as infrastructure, not metadata.
The Security–CX Tradeoff Is Real, But Not Inevitable
Many IAM approaches remain focused on users and controlled environments, but AI agents already interact across enterprise identity systems.
Research by Ping Identity describes a failure mode in which “AI agents combine individually legitimate permissions in unintended ways, resulting in actions that bypass established controls and cannot be fully traced or governed. This failure mode represents a new class of identity risk in environments where AI agents operate autonomously across enterprise systems.”
When identity confidence drops, security teams respond with control, increasing step‑up authentication. Lockouts multiply, abandonment rises and the involvement of AI agents makes managing incidents even more complex.
Only 18 percent of respondents to a survey commissioned by Strata Identity and conducted by the Cloud Security Alliance (CSA) are “highly confident” that their current IAM systems can manage agent identities effectively.
Rather than implementing purpose-built, runtime authorization aligned to agent intent and context, around half of organizations are extending existing human identity access management models to discover and govern agent behavior. That results in mismatched privilege boundaries and unclear accountability. They can see “some agents some of the time, but rarely in one place or in real time,” Strata noted.
But blanket friction isn’t inevitable.
As Layman said in CX Today’s roundtable discussion:
“We need to stop thinking about authentication as a black‑and‑white yes or no. It’s a continuum of probability. You might be 95 percent likely to be Ron—or 25 percent likely. That should entitle you to different things.”
Graduated authentication, in which access scales with confidence and risk, allows organizations to preserve CX without compromising security.
“We’re going to have to get much better at breaking the path,” Zayas added. “Not everything deserves the same level of friction.”
Security friction damages CX most when it’s unexpected.
“If we insist that everything will be easy and rosy, perhaps we are lying,” said Miguel Fornes, Information Security Manager at Surfshark. “There is a security paradox. The most secure computer is switched off in a bunker.”
Customers are more accepting of friction when they understand why it exists.
“We tell customers upfront: this is going to be an unpleasant experience,” Zayas explained. “Not because we want to make it hard—but because if we made it easy, we’d be giving away the keys to the kingdom.”
Expectation‑setting, not friction elimination, is becoming the defining CX skill.
Across industries, leaders are rethinking identity as a core component of operational resilience. Setting customer expectations, rather than focusing on eliminating friction, is key. Clear communication that explains why friction exists, when it will occur and what customers can expect next turns security into a signal of competence, reducing frustration even when experiences slow down. Transparency is the difference between customers feeling protected and feeling punished. As Fornes suggested:
“Security assumes controls will fail. That philosophy needs to apply to identity too.”
That means designing for identity degradation, prevention and recovery journeys and continuity under pressure.
When Identity Fails, CX Fails and AI Raises the Stakes
Always‑on CX doesn’t fail when systems go down. It fails when identity disappears. When customers lose recognition, trust evaporates but when identity holds—even imperfectly—recovery becomes possible.
Eric Olden, Co-Founder & CEO at Strata Identity, explained that “enterprises are coming to realize that securing AI agents isn’t just about tweaking existing IAM processes, rather it requires rethinking identity architecture altogether. Static credentials, manual provisioning, and siloed policies can’t keep pace with the speed and autonomy of agentic systems.”
“The future of identity must be orchestrated, contextual, and continuous, enabling real-time authentication, authorization, and auditing wherever agents operate.”
The organizations that successfully navigate identity management of humans alongside agents will be the ones that never forget who the customer is, especially when everything else is breaking.
