In the cybersecurity world, we often talk about firewalls, zero trust, MFA and digital perimeters. However, in high-risk environments, like utilities, airports, energy, pharma and manufacturing facilities, identity governance isn’t just about digital access. It’s about physical presence.
And in many organizations, that physical layer is the weakest link.
As digital and physical systems converge, the challenge of managing who has access to what, and when, has become infinitely more complex and far more consequential. The ability to validate and govern physical access is no longer a facilities issue. It’s a critical security, safety and compliance concern that belongs squarely in the CISO’s domain.
Physical Access Is An Identity Problem
Most organizations treat physical security systems (access badges, turnstiles, building entry points) as distinct from their IT environments. That may have made sense a decade ago, yet today, it’s a false separation.
If you can’t validate that the person walking through a secure door still works for your company, or should still have access to that floor, lab or control room, you’re dealing with more than an operational oversight. You’re facing a potential breach of trust, policy or safety.
This is especially true in organizations where thousands of people are moving through sensitive sites every day, such as airports, data centers, energy plants, government facilities. One disgruntled insider, one terminated employee who still has badge access, one misconfigured access profile and the consequences can be immediate and severe.
And here’s the truth: In most environments, no one can confidently prove the accuracy of the access data.
The Scale And Complexity Of Physical Access Risk
Let’s take a common example.
Jessica was the executive assistant to the CEO. She had high-level building access, including the executive suite. Months later, Jessica transitions into a new role in the sales team. HR updates Active Directory, and IT reassigns her permissions, but her badge still gives her access to the executive floor.
A few months later, the sales team hires four new salespeople. The manager requests access for the new salespeople, and, rather than customizing permissions, asks that they be assigned “the same access as Jessica.” Suddenly, four junior staffers have access to the CEO’s private corridor.
Multiply this scenario across a workforce of 10,000+ people, multiple regions, dozens of secure locations and a web of local building systems. The problem compounds exponentially.
The physical security systems involved are powerful. Yet they operate independently, and are often not connected to HR records, identity directories or policy enforcement layers. Access permissions are layered, nested and often inherited or copied without validation.
Even if every person currently has a valid employment status, it’s unlikely that the following questions can be answered:
- Do they have the right access for their role?
- Have any of their permissions lingered after a change?
- Is there a single point of failure—a service entrance, lift shaft or bypass path—that too many people can exploit?
Governance Without Validation Is Just Guesswork
The common response? “We passed our last audit.” Or “We review access quarterly.” But process isn’t proof.
Ask yourself: Could you stand in front of your board or regulator and confidently declare that every access badge is accurate, every access level justified and every physical identity correctly governed?
Most security leaders can’t. Because while IT identity can be reviewed with logs and user directories, physical access data lives in siloed, decentralized and unvalidated systems.
Even if you’re right, you can’t substantiate it.
And that’s the problem.
Physical Access Is OT, And It Deserves The Same Rigor
In many ways, physical security systems are operational technology (OT). They often run on separate networks, are managed by different teams and are rarely integrated into corporate IAM platforms. Like other OT systems, they are often “set and forget,” and their access lists can remain untouched for years.
The risks are no different from digital threats:
- Orphaned access for ex-employees
- Overprovisioned access based on outdated roles
- No ownership of permissions or no defined recertification processes
- Lack of visibility into who has access across multiple facilities
Yet, physical access often escapes the scrutiny applied to digital access, despite the fact that unauthorized physical entry can have catastrophic consequences.
Moving Forward: A CISO’s Physical Access Playbook
So how can security leaders bring governance, oversight and confidence to physical access systems—without disrupting operations?
Here are five principles:
Consolidate physical access data. Collect identity and badge records from all physical access control systems across all regions and sites. Treat them as part of your overall identity ecosystem.
Correlate with HR, directory and role data. Map each badge holder to their employment record, role, team and status. Validate that their physical access reflects current job responsibilities—not their history.
Model access in a digital twin. Build a virtual representation of your physical access environment. See who has access to which zones, what systems are managing them and where permissions overlap or conflict.
Highlight risky patterns and blind spots. Detect individuals with excessive or inherited access. Identify shared credentials, unused badges or high-risk entry points with mass access rights.
Empower facilities and security to act. Don’t force change from the top. Provide localized reports that let site managers and physical security leads validate and remediate access issues on their terms, with data to support them.
Physical Access Is A Security Control, Not A Side Note
In today’s threat landscape, identity governance doesn’t stop at the firewall. It extends to every card reader, turnstile, elevator and door. Especially in environments where physical presence equals risk.
If you’re not validating physical access with the same rigor you apply to digital identity, you’re not governing the full picture. You are just hoping it’s right. And when it comes to critical infrastructure, hope is not a strategy.
