One of the most striking patterns I have seen across organisations is how deeply user experience shapes security outcomes. And not "UX" in the superficial, UI-focused sense. UX is the lived experience of using a system: how natural it feels, how much friction it introduces, and whether it quietly supports or constantly interrupts the work people are actually trying to do.
When that experience is painful or confusing, people find alternatives. They look for shortcuts. They bypass whatever feels unnecessary, slow, or hostile. And the workaround they choose is almost always less secure than the control they avoided. UX is not something you add on top of security. UX is part of the security model.
When UX Breaks, People Route Around It
Shadow IT is often treated as a compliance issue or a training problem. In reality, it is very often a UX problem. People are usually not trying to violate policy. Most of the time, they are just trying to get their work done without battling their tools.
I have seen organisations deploy restrictive policies or complicated workflows with the best intentions, only to watch users seek simpler paths. Banning AI tools leads people to use them on personal devices. Overly strict VPN configurations push employees to disconnect entirely. Lengthy approval processes for cloud or software provisioning lead to personal accounts the organisation cannot see or control.
These behaviours are not signs of recklessness. They are signs of friction. When the official path becomes unworkable, people quietly route around it. Security controls that look strong in a policy document often collapse when they meet real human behaviour.
How UX Failures Create Real Security Risk
Some of the biggest security failures I have seen had nothing to do with malware, attackers, or misconfigurations. They came from poor user experience.
Password policies stuck in another decade. Mandatory password changes every 30 or 90 days, strict composition rules, and no guidance on passphrases inevitably lead to predictable patterns, incremental passwords, and reused credentials. A policy that looks strong on paper becomes weak in practice.
MFA implemented in the most annoying way possible. Requiring people to enter OTP codes repeatedly, juggle multiple apps, or reauthenticate constantly leads to shared accounts, stretched sessions, and attempts to avoid MFA altogether. Modern approaches like passkeys and platform SSO are not only more secure; they are significantly more usable.
Device and endpoint choices that ignore workstyles. Endpoint strategy should reflect what the organisation actually does. Standardising on a single OS can make sense in environments with uniform workflows. But in teams doing engineering, research, or design, the endpoint is part of the workflow. Forcing a one-size-fits-all device reduces productivity and increases frustration. A small amount of flexibility for IT often unlocks far more value for the people doing the core work.
Device management that interrupts more than it protects. Forced reboots in the middle of work, intrusive popups, and constant compliance warnings break focus and erode trust. The purpose of endpoint management is to maximise productive time, not reduce it with poorly timed interruptions.
Security popups and repeated reauthentication. If your system trains users to click "Allow" automatically just to continue working, it is not protecting them. It is teaching them to ignore security.
VPN configurations that punish remote work. It is surprisingly common to see VPN setups that route all traffic through a single central location. This creates slow connections, poor performance, and frustration that pushes users to disconnect whenever possible. The issue is not VPN technology itself but the experience created by its configuration.
SSO misconfigurations. When SSO fails, users fall back to local passwords, shared credentials, or avoid the system entirely. SSO is supposed to remove friction. Misconfigured SSO doubles it.
Every example above has one thing in common: the security problem only appears after the UX problem does.
Modern UX-Driven Security Patterns
Security and UX are not opposites. When designed well, they reinforce each other.
Passwordless and platform-based authentication. Passkeys, Windows Hello for Business, and Apple's platform SSO remove passwords and reduce MFA fatigue. They rely on cryptographic material tied to trusted devices, making them both secure and frictionless.
Identity-based access instead of network-based access. Tools like Tailscale and Twingate make connectivity feel invisible. Users authenticate once, and access is granted based on identity and device trust, not VPN tunnels. Better experience, smaller attack surface.
Silent security instead of noisy controls. Background patching, automatic updates, posture checks, and silent monitoring keep users productive. Security interruptions should be rare and meaningful, not constant.
Guardrails instead of gates. Least-privilege defaults, preconfigured IAM roles, and automated scanning allow people to move quickly without exposing the organisation to unnecessary risk. Guardrails guide behaviour without blocking it.
Step-up authentication where it matters. Not all actions should carry the same friction. Authentication flows should reflect actual risk.
Across these patterns, the principle is simple: good security reduces friction instead of adding more.
Designing Security People Will Actually Use
Designing secure systems with UX in mind requires a shift in perspective. Instead of asking "how do we enforce this control," the better question is "how do we make the secure path the natural one?"
Meet users where they are. If engineers need cloud resources, give them self-service with guardrails instead of multi-week approvals. If people need speed, build secure workflows that match the pace of the work.
Do not automate broken processes. A broken process becomes worse when automated. Simplify first, automate second.
Explain the why. Users cooperate more when they understand the purpose behind a control. Context builds trust.
Use friction strategically. If everything is treated as critical, nothing feels critical. Reserve friction for moments that genuinely matter.
Measure behaviour, not deployment. A control that is bypassed is worse than no control at all. Adoption matters more than rollout.
Design with humility. IT does not exist for its own comfort. It exists to enable the work of the organisation, not to stand in its way. A user who bypasses a system is usually not being difficult. More often, the system is.
When security is designed around how people actually behave, rather than how we wish they behaved, it becomes stronger, not weaker.
The Bottom Line
Human behaviour is part of the threat model. Controls that ignore how people actually work will be avoided, bypassed, or quietly subverted. The secure path must also be the easy path. When it is, people follow it willingly. When it is not, they find alternatives. Designing for that reality is not a compromise. It is how modern security works.