I’m partial to KnowBe4 for phishing training/stats/campaign suggestions, and secure authenticator onboarding (MFA) made mandatory for frequent failing users. That’ll mitigate credential loss, with EDR mitigating malware from clickers. Education and behavioral improvements primary with technical controls closing gaps.

For customer IAM, passkeys. Both hosted and open source idps support them.