CIAM (Customer Identity & Access Management) is where IAM meets real product constraints: conversion rates, support costs, fraud, privacy regulation, and at-scale reliability.
This page is vendor-agnostic by design: the concepts apply whether you use a homegrown stack or a CIAM platform.
Availability is part of the threat model
If login is down, users churn, support costs spike, and incident response gets messy.
What scales poorly
- global session stores without sharding
- synchronous calls to external services during login
- expensive risk scoring in the critical path
Patterns
- Cache public keys and metadata (OIDC discovery, JWKS)
- Fail-open vs fail-closed decisions for risk systems (explicitly chosen)
- Regional redundancy for auth endpoints
Checklist
- SLOs for login/registration/recovery
- Circuit breakers for third-party dependencies
- Load testing for peak events