Organisations should treat badge and door access as governed identity data, not a separate facilities record. That means linking physical entitlements to HR status, role and location, then recertifying them through the same lifecycle controls used for high-risk digital access. Without authoritative reconciliation, physical access becomes impossible to prove or defend.
Why This Matters for Security Teams
Physical access is part of identity governance because a badge, turnstile permission, or door controller entitlement can be just as sensitive as a privileged token. If facilities access is managed outside IAM, security teams lose authoritative visibility into who can enter secure areas, when access should end, and whether the entitlement still matches job function, location, or risk. That gap becomes especially dangerous during transfers, terminations, and vendor offboarding.
Current guidance suggests physical and digital access should be reconciled under the same lifecycle controls, even if the enforcement systems differ. The control objective is simple: entitlement should follow an authoritative identity source, not a standalone facilities spreadsheet. NIST’s Cybersecurity Framework 2.0 reinforces governance, access control, and asset visibility as linked responsibilities, not separate silos. NHIMG’s Ultimate Guide to NHIs shows how unmanaged identities and weak lifecycle processes produce lasting exposure when revocation is not authoritative.
In practice, many security teams encounter unauthorized badge access only after a termination, relocation, or contractor change has already been missed by facilities processes.
How It Works in Practice
Govern physical access by treating it as an entitlement attached to the person record, the role, and the site. HR remains the source of truth for employment status, while IAM governs the access decision and recertification. Facilities systems can still enforce doors and zones, but the decision logic should be driven from a central identity workflow so access can be granted, reviewed, and removed with evidence.
A practical model usually includes these steps:
- Map each badge or door zone to a business justification, owner, and review cadence.
- Link access grants to HR events such as hire, transfer, leave, and termination.
- Use least privilege and site scoping so location-based access is limited to the minimum required area.
- Recertify elevated physical access alongside high-risk digital access, not on a separate facilities schedule.
- Revoke access automatically when employment status changes or a review expires.
The operational value is auditability. If an incident occurs, the organisation can show who approved access, when it was last reviewed, and what business rule justified it. That aligns with the lifecycle and governance emphasis in NHIMG’s Lifecycle Processes for Managing NHIs, even though the enforcement target here is a badge system rather than an API key. For broader identity governance and review expectations, the OWASP Non-Human Identity Top 10 is useful because it frames entitlement sprawl, weak ownership, and poor rotation as recurring control failures.
These controls tend to break down in organisations with outsourced facilities, multiple badge issuers, or M&A environments because no single system owns authoritative reconciliation.
Common Variations and Edge Cases
Tighter physical access governance often increases administrative overhead, requiring organisations to balance faster operations against stronger proof of entitlement. That tradeoff is most visible in plants, labs, data centres, and hospitals, where access may depend on shift patterns, emergency roles, or regulatory constraints. Best practice is evolving, and there is no universal standard for every site model yet.
Some environments need temporary access for visitors, contractors, and cleaners, which should be time-boxed and sponsor-approved rather than left active indefinitely. Sensitive zones may also require dual approval or step-up review before access is granted. In distributed enterprises, badge data can lag behind HR by hours or days, so compensating controls such as same-day deprovisioning triggers and periodic reconciliation reports become essential. NHIMG’s Regulatory and Audit Perspectives is a useful reference point when evidence quality matters, and the Top 10 NHI Issues highlights how unchecked entitlement growth and poor ownership undermine defensible governance.
Where this model is weakest is in merged organisations with different badge platforms, because reconciliation often stops at reporting instead of enforcing actual revocation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Identity proofing and access governance apply to physical entitlements too. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Ownership and lifecycle control are central to governed physical access. |
| NIST CSF 2.0 | PR.AC-4 | Least privilege and access management directly map to door and badge rights. |
Tie badge issuance and revocation to authoritative identity and review them as access assets.
Related resources from NHI Mgmt Group
- How should organisations govern SaaS licenses alongside identity access reviews?
- How should organisations govern MSP access to sensitive systems?
- How should teams govern access in disconnected systems that do not integrate with IAM?
- How should organisations govern access when identity state changes daily?
