Subscribe to the Non-Human & AI Identity Journal

Why do IAM and PACS create risk when they are not coordinated?

IAM controls logins, while PACS controls doors. When they are not coordinated, a person can lose application access and still retain badge access, or the reverse. That mismatch creates a residual access window that audit reports often miss. The practical risk is not theoretical complexity. It is continued reach after role change or departure.

Why This Matters for Security Teams

When IAM and PACS are not coordinated, security teams inherit two separate sources of truth for who should be allowed in and where. That creates a residual access window after a role change, termination, or temporary assignment, even when one system has already been updated. NHI Management Group has highlighted how access mismatches and weak lifecycle control are a recurring failure mode in Top 10 NHI Issues, and the same operational pattern appears in physical access. NIST’s Cybersecurity Framework 2.0 treats identity governance as a continuous function, not a one-time update.

The risk is not only unauthorized entry. It also affects investigations, insider-risk monitoring, and audit evidence, because a door badge may remain valid after application access has been removed, or the reverse. That gap is especially dangerous in hybrid workplaces where contractors, visitors, and privileged staff move across both digital and physical environments. In practice, many security teams discover stale PACS access only after an incident review, not through intentional offboarding control.

How It Works in Practice

Coordinated IAM and PACS means the identity lifecycle is shared, even if the systems are separate. A single authoritative event, such as hire, transfer, suspension, or exit, should trigger both application entitlements and badge states. Best practice is evolving, but current guidance from NIST SP 800-53 Rev 5 Security and Privacy Controls supports access revocation, least privilege, and periodic review across all access paths, not only digital ones.

Operationally, teams should align HR as the source of record, map IAM roles to PACS zones, and automate event-driven deprovisioning. That usually includes:

  • Immediate badge disablement when termination or suspension is confirmed
  • Time-bound access for visitors, vendors, and temporary staff
  • Regular reconciliation between badge logs, IAM entitlements, and HR status
  • Exception handling for safety, emergency response, and regulated areas

The real control is not just revocation speed, but consistency. If one system updates faster than the other, attackers or departing insiders can exploit the lag. The pattern is similar to credential sprawl documented in Ultimate Guide to NHIs — Key Challenges and Risks, where access persists after the business justification has ended. These controls tend to break down in organisations with outsourced facilities, multiple badge issuers, or manual approval chains because reconciliation becomes too slow to trust.

Common Variations and Edge Cases

Tighter coordination often increases operational overhead, requiring organisations to balance fast revocation against safety, continuity, and exception management. That tradeoff becomes visible in plants, hospitals, data centres, and shared campuses, where physical access may need to stay available during incident response or regulated handover periods. There is no universal standard for this yet, so policy design should reflect the environment rather than assume one badge model fits all.

Some organisations intentionally keep limited PACS access after IAM removal for emergency response roles, but those exceptions must be explicit, time-bound, and reviewed. Others allow contractors to retain building access while digital access is removed, which is acceptable only if escort rules, zone restrictions, and expiry dates are enforced. NHI Management Group’s reporting on compromised identities shows how often access governance fails when lifecycle controls are incomplete, including the 2024 ESG Report: Managing Non-Human Identities and the 2024 Non-Human Identity Security Report, which notes that 88.5% of organisations say their non-human IAM practices lag behind or merely match human IAM maturity. The practical lesson is that coordination must cover revocation, exceptions, and periodic recertification, not just badge issuance.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, CSA MAESTRO and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-4 Addresses access authorization and revocation across digital and physical identity workflows.
OWASP Non-Human Identity Top 10 NHI-03 Covers weak lifecycle control that leaves identities active after role change or exit.
CSA MAESTRO IAM-03 Supports lifecycle governance for identities that span autonomous and operational access paths.
NIST AI RMF Risk governance requires continuous oversight of access decisions and exception handling.
OWASP Agentic AI Top 10 A1 Autonomous access patterns amplify the impact of stale or uncoordinated identity states.

Synchronize IAM and PACS revocation checks under PR.AC-4 and reconcile stale access on a fixed schedule.