View larger infographic


The functional difference between IAM and CIAM is this: are you managing internal employee identities (IAM – aka legacy/enterprise/internal IAM) or external customer/consumer identities (CIAM)?

  • IAM (Identity and Access Management) – control of what employees can & cannot do, making sure that the organisation’s systems are not accessible to anyone external.
  • CIAM (Consumer/Customer Identity and Access Management) – managing external identities – be it customers, partners, contractors, things or even citizens. More on the function of CIAM here.

While it may not be immediately clear that this difference would call for drastically different platforms, these groups actually demand very different use cases.

User experience

The demands on an IAM system in terms of user experience (UX) are important, but not as critical as in a CIAM system. This is because employees (usually) do what they are told and use the systems the employers provide for them – and are often trained to do so.

On the contrary, user experience for customers (or ‘customer experience’) is one of the key success factors in today’s digital business. If you deliver a bad experience, your customers will leave unhappy, quickly moving to another service provider and taking their money – your revenue – with them.

Platform flexibility

Another difference between IAM and CIAM is in how the environments are treated. In an enterprise environment (IAM), changes to the system tend to be slower, and the systems are quite inflexible. It’s not commonplace for such systems to constantly keep up with the latest trends and hop on board with every new technology. This is in stark contrast to customer facing solutions, who do try to update system features on a regular basis, as it could be a way to stand out from the competition.

Rigid enterprise IAM solutions are not built for these kinds of demands, but CIAM should enable quick changes to be made through simple configuration.


Scalability is a big differentiator between IAM and CIAM. For any size of company, the number of employees rarely matches the potential number of consumers. For example, a customer-facing solution might have a million users, but nowhere near that many employees. Therefore, the scalability requirements for IAM and CIAM solutions are hugely different.

Using an IAM solution for an external service with a substantial number of users is a recipe for disaster, as an IAM solution is not likely to scale to meet the requirements.

Managing identities

Internal IAM is driven by the Human Resources team and the number of identities doesn’t usually fluctuate rapidly – adding or removing employees, or amending roles and access, is a difference of few hundred per day in even the largest organisations.

Compare this to an external system, where the number of users (hopefully) grows rapidly and the need to effectively manage these identities is crucial. CIAM is built for you to know exactly who is accessing your online services, but also in which role they are entering, or which organisation they represent, without manual effort.

Privacy, trust & data regulation

Companies want to own their employee identities, at least to some extent. The concept of Bring Your Own Identity (BYOI) might change this to some degree, but still the ownership of access privileges (roles, authorisations) should remain in the control of the company, not the user, for internal identities.

For external identities, trust and users feeling in control of their data is much more important, particularly in light of certain regulations (such as GDPR). CIAM can provide crucial transparency and the possibility for the end customer to manage, erase and export/transport their own data, providing the much-needed trust element.


The final difference is quite a simple one – does the solution bring in revenue? Internal IAM, with the emphasis on employees, isn’t intended to bring revenue to the company. CIAM solutions may well bring in revenue by enabling new digital services, or at least saving on support costs.


In summary, the underlying technology for both IAM and CIAM can be similar, but what differentiates the two is the functionality built on top of those basic building blocks.

For more detail on the difference between IAM and CIAM, including applied use case examples, download the white paper ‘The Difference Between Internal IAM and Customer IAM’.