How a Product Mindset Benefits API and IAM Strategies

How a Product Mindset Benefits API and IAM Strategies

Posted in
BillDoerrfeld

Bill Doerrfeld
Bsky Icon
X Icon

Identity and access management (IAM) is integral for protecting digital applications and APIs. IAM is core for segmenting appropriate API access for partners, public consumers, and now, with the rise of generative AI, AI agents. Yet it’s not always baked into the core product mindset driving today’s API initiatives.

Elisabeth Falck from If will explore how a product mindset improves API and IAM strategies at Platform Summit 2025.

One person with much experience in APIs and IAM is Elisabeth Falck, head of digital business enablers at If P&C Insurance, a major insurance company serving the Nordic and Baltic regions. IAM is an important aspect of If P&C’s overall API business strategy, which is key to the company’s digital transformation efforts across its partner network.

According to Falck, taking a product mindset for APIs and IAM has been clutch. Bringing product principles to APIs and IAM has led to faster time to market, better partner onboarding, enhanced developer experiences, and direct revenue. IAM is also set to play a role in providing AI agents with personalized and secure access to APIs, predicts Falck.

Check out the interview with Falck below, and be sure to attend Platform Summit 2025 to watch her session APIs and IAM in If P&C Insurance – the Leading Digital Insurer in the Nordics. Also, dive deep into topics related to API security and access management at the API Security UnConference on day zero!

Interview with Elisabeth Falck

What are some key API use cases at If P&C, and how do they align with your digital strategy? How are your partners leveraging the API platform?

If P&C uses APIs to embed insurance services into partner ecosystems such as car dealerships, real estate platforms, and health services. Our API platform supports over 70 external partners, 120 internal teams, and handles more than 40 million monthly API calls.

Key use cases include get quote and buy flows for insurance, claims handling, and lead generation. Partners like Viking, SBAB Bank, Polestar, and Preglife leverage APIs for various use cases such as improving claims management, personal financial management, car purchase flows, and supporting women through pregnancies.

What is the importance of access control and security in this context? Is it challenging to manage access and identity for different partners and various needs?

Identity and access management and security are critical to succeeding with our API strategy. APIs are secured using different types of OAuth flows and other security mechanisms. We use Curity Identity Server, Azure API Management, and an F5 platform in combination to protect our APIs. IAM ensures scoped access across channels and devices, with monitoring tools for malicious traffic and incident response aligned with DORA regulations.

We also perform IAM reviews of our own and our partners’ applications to make sure they are done according to best practice. Managing partners’ access to our developer portal and other portals is complex but addressed through federated identity provisioning (SSO), multi-factor authentication (MFA), or BankID authentication.

Why has a product mindset been so effective for your API and IAM strategies? How do you evolve these capabilities over time, and what business benefits have you seen as a result?

A product mindset ensures that we develop the right APIs for our customers and partners. We use classic business modeling processes to ensure that value is delivered. Tight collaboration between business and IT is needed, and it is important not to just view APIs as technical assets.

Managing APIs as products is important for good API customer experience and for API lifecycle management. Our developer portal is like a store for our API products — it works as an inventory catalog with self-service and transparency for both internal and external API customers.

A product mindset supports scalability, lifecycle management, compliance, and innovation, resulting in smoother onboarding and improved partner satisfaction. Business benefits include faster time to market, increased presence at our customers’ life events, and direct revenue through embedded sales of insurance.

How has If P&C implemented partner identity and access management? What technologies, standards, or tools have been most helpful in supporting that product mindset?

Partner IAM is mainly implemented using Curity Identity Server for authentication, consumer identity management for managing identity attributes, combined with services in backend systems for authorization. Identity federation (SSO), MFA, and BankID are methods used for the authentication of partners, depending on the level of assurance (LoA) needed. Adherence to standards such as OpenID Connect and SCIM is key.

The onboarding process for partners to APIs involves legal agreements, design of customer journeys, IAM assessments to review security, and self-service access via the developer portal. This way of working ensures compliance and a consistent experience when consuming our APIs.

Can you share any challenges If P&C encountered when implementing an API and IAM strategy, and how you overcame them? And what were the lessons learned?

One of our major challenges has been the lack of backend APIs and unstructured or unavailable data, which is hard to expose through APIs. We are a company with many years of experience and legacy technology, including mainframes and processes that pose a challenge for API production.

We have addressed these challenges by focusing on data mesh and API-first principles and applying a modern microservices architecture. Over five years ago, we started migrating to modern IAM and API platforms, as centralized enablers, and established a production approval process (PAP) to ensure adherence to best practices and guidelines.

Lessons learned include the importance of business and IT working side by side, early alignment on architecture, a focus on data availability and data ownership, evolving IAM and API platforms according to new needs, and managing security and privacy risks during development and onboarding.

Looking ahead, what trends do you see shaping API and IAM strategies in the next few years?

Future trends include supporting customers in a personalized, timely, and secure manner in an integrated digital era. We expect to grow our ecosystems of partners and thereby more need for automation and self-service for our APIs and IAM capabilities.

APIs and IAM are key for AI solutions and particularly for AI agents to get data and functionality. Support for Model Context Protocol (MCP), or similar protocols, will be important to serve the agents in a structured and secure manner. Customers and employees using AI agents need accurate, personalized, and timely data, and APIs and IAM capabilities will play a key role in that.

DORA, European Identity Wallet, and Financial Data Access Regulation (FiDA) will, in addition, have an impact on the API and IAM strategies for us and other financial companies in Europe.

Bill

Bill Doerrfeld

Bill Doerrfeld is a tech journalist and API thought leader. He is the Editor in Chief for Nordic APIs. He oversees the content direction and publishing schedule for the NordicAPIs blog. Bill is always on the hunt for API stories; you can pitch your article ideas on our Create With Us page. Follow him on Twitter, or visit his personal website.