Table of Contents
On 28 April 2025, Gartner published its Innovation Insight for Customer and Partner Identity and Access Management to help IAM leaders plan out CIAM and PIAM initiatives. We believe the report clears up access management terminology, lists out common CIAM and PIAM requirements, and contains several practical tips and insights to help organizations think through their external IAM strategy. We are also happy to share that Descope has been included in the report as a Representative Provider of CIAM and PIAM services.
This blog will share our reflections on recommendations made in the report and how they align with learnings from hundreds of Descope customers. Gartner clients can access the full research note through this link.
The struggle of building in-house
Several organizations, whether a Day-0 startup or large enterprise, face the “Build vs Buy” conundrum when it comes to customer and partner IAM. At present, in-house deployments dominate this market, with Gartner saying:
“Over 50% of organizations are using either a combination of homegrown CIAM solutions or no solution at all (in the case of noncustomer-facing organizations).”
The rise of agentic AI, digital-native user expectations, and identity-based cyberattacks mean that organizations building and maintaining in-house CIAM are fighting an uphill battle. Keeping up with modern identity protocols and evolving user needs while ensuring identity flows are secured against cyberattacks distracts developers from core product efforts.
Gartner says:
“Avoid using precious in-house resources to develop CIAM or PIAM capabilities that vendors can offer out of the box. Choose IAM tools for each use case that meet the organization’s requirements for either customer or partner IAM projects.”
We have helped several organizations like GoFundMe, SmithRx, a publicly traded HRIS company, and a leading community engagement platform migrate millions of identities from home-grown setups to Descope–enhancing customer experience, improving security, and saving developer time in the process. Here are a few drivers we have seen for organizations moving away from in-house CIAM builds:
Digital transformation: Initiatives to reduce user friction, simplify onboarding, and improve mobile experience.
Security / compliance: Adding phishing-resistant MFA, user consent mechanisms, and fraud prevention controls to enhance security or comply with expanded privacy regulations.
Developer productivity: Initiatives to refocus developer time and resources by moving away from time-consuming and costly in-house CIAM toolsets.
Customer 360: Efforts to consolidate identity flows across multiple external-facing portals and different identity providers.
Moving beyond B2C and B2B silos
Since Descope’s inception, we have aimed to create a platform to help both B2C and B2B organizations simplify their customer authentication and identity management. But the more organizations we spoke with and served, the more we realized that B2C and B2B is a false dichotomy.
Take GradRight, a leading EdTech provider in India that serves students (B2C), university admins (B2B), and loan officers (B2B). Or You.com, an enterprise AI platform with millions of users (B2C) and several enterprise customers (B2B). Or CARS24, an online car marketplace that serves buyers and sellers (B2C) as well as distributors and insurers (B2B).
Given enough time to mature, every organization converges to serve a mix of individuals, businesses, and partners with their applications and digital portals. Gartner says:
“The reality is that any mature CIAM implementation contains elements of both B2C and B2B, as customers typically include both individuals and organizations. Further complicating matters is the fact that interactions with vendors and business partners also include elements of both B2C and B2B, because they deal with both individuals and organizations within their user constituencies.”
Given this reality, we believe organizational requirements from CIAM must avoid solely focusing on line-items in RFPs and consider the following broader tenets:
Unified platforms that provide IAM functionality for individuals and businesses in one control plane.
Flexible platforms that adapt to an organization’s growth as their stakeholders–and their authentication needs–change with time.
Developer-friendly platforms that abstract away all parts of identity complexity–protocols, adaptive risk, session management, admin UI–and let builders focus on building.
Gartner says:
“The answer is in redefining B2C and B2B to no longer represent user constituencies, but instead describe collections of IAM functionality: one targeted at supporting individuals (B2C) and one targeted at supporting organizations (B2B — technically, a group of users who are all part of a single organization).”
Keep workforce IAM for your workforce
We believe this research note is a heartening step in the right direction to highlight how management of external identities is distinct from capabilities offered by workforce IAM solutions.
The increased focus on digital experience, flexibility, and interoperability within CIAM and PIAM is leading organizations to rethink how they manage external identities instead of relying on basic use cases from their existing workforce IAM solution.
Gartner says:
“Be prepared to look beyond traditional multiconstituency AM vendors, particularly for complex CIAM and PIAM use cases.”
Here are just a few examples where the static and rigid nature of workforce IAM solutions falls short for CIAM and PIAM initiatives:
Dynamically capturing custom user and tenant properties during authentication and tailoring the user journey accordingly (e.g. checking if the user logging in has an SSO-enabled domain and enforcing SSO in that case).
Experimenting with user journey flows to introduce new auth methods in a staggered manner, compare dropoffs between different auth methods, and so on.
Orchestrating identity information across a variety of security and business tools (e.g. creating a HubSpot contact after user signup, getting risk scores from reCAPTCHA before enforcing MFA, localizing user-facing screens to other languages based on the users’ browser settings).
Customizing admin UI to expose different identity management capabilities to different personas (e.g. showing user profiles to all users but role and access key management only to tenant admins).
Unifying identity flows across disparate apps including off-the-shelf solutions (Zendesk, Salesforce, Shopify, WooCommerce) while still giving each portal a customized and branded authentication UI.
The driving force behind the above use cases and more is the stakeholder being served. External stakeholders have different UX and security expectations, changing needs, and are more transient than employees–it thus becomes necessary to serve these stakeholders using a different IAM paradigm than what workforce IAM offers.
Conclusion
The Gartner Innovation Insight for Customer and Partner Identity and Access Management is an excellent resource to clarify and guide requirement-gathering around CIAM and PIAM initiatives. As migrations from both home-grown and workforce IAM deployments increase, we anticipate more organizations rethinking IAM for their external-facing applications and moving to a future that’s frictionless and secure for their end users while also saving developer time.
If you’re interested in trying out Descope, sign up for a free account. Have an active CIAM or PIAM project? Book a demo with our auth experts to learn more.
Gartner, Innovation Insight for Customer and Partner Identity and Access Management, By Michael Kelley, Abhyuday Data et al., 28 April 2025.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
