Subscribe to the Non-Human & AI Identity Journal

Physical Access Device

A physical access device is any credential that allows entry into a controlled environment, such as a badge, key, or key card. It should be managed like a credential lifecycle item, with issuance, tracking, return, and revocation tied to employment status and access need.

Expanded Definition

A physical access device is a controlled credential used to prove authorisation at a doorway, turnstile, cabinet, or other restricted point. In practice, the term covers badges, proximity cards, smart keys, mobile-enabled tokens used for door systems, and other issued items that function as access credentials rather than simple identifiers. The security significance is not the object itself, but the trust placed in it: possession of the device often becomes the basis for entry, so loss, duplication, or reuse can create immediate exposure. Standards and control frameworks generally treat these items as part of a credential lifecycle, which means issuance, replacement, return, and revocation must be tracked with the same discipline as other credentials; see NIST SP 800-53 Rev 5 Security and Privacy Controls for related identity and access control expectations.

Definitions vary across vendors when physical access devices are bundled with logical access cards, visitor passes, or building-management tokens, so the operational boundary is not always consistent. NHI Management Group treats the term as a credential management object with a direct security effect, especially where access events are logged, monitored, or tied to HR and badge administration systems. The most common misapplication is treating a lost or returned badge as a facilities issue only, which occurs when organisations fail to revoke access promptly across every connected access system.

Examples and Use Cases

Implementing physical access device management rigorously often introduces administrative overhead, requiring organisations to balance convenient entry for staff against stronger control over issuance, return, and replacement.

  • A staff badge grants entry to office floors and secure meeting rooms, with activation tied to onboarding and deactivation tied to termination.
  • A contractor key card is limited to specific doors and expires automatically at the end of the engagement, reducing unnecessary standing access.
  • A privileged facilities key opens a server room or comms closet and is stored in a controlled sign-out process to support auditability.
  • A visitor pass is issued for a short period and visually distinguishes temporary access from employee credentials, lowering the risk of reuse.
  • A lost card is reported to security operations, then disabled in the access control system and replaced only after identity verification.

These controls align with the broader access governance intent reflected in NIST SP 800-53 Rev 5 Security and Privacy Controls and are increasingly relevant where physical credentials are integrated with identity platforms. They also intersect with modern identity assurance patterns, because the card or badge often becomes a proof point in downstream access decisions even when the initial identity check happened elsewhere.

Why It Matters for Security Teams

Physical access devices matter because they convert identity decisions into real-world entry rights. If they are not governed tightly, an organisation may have strong logical access controls while leaving doors, cabinets, labs, or high-security spaces exposed to former staff, contractors, or duplicated credentials. That creates a gap between HR records, badge systems, and facility controls that attackers or careless insiders can exploit. Security teams need to view the device as a credential with a lifecycle, not a simple plastic object, and to ensure revocation, reissue, and audit trails are consistent across systems. Where physical access is tied to non-human systems such as badge-enabled secure enclosures, the same lifecycle discipline is recommended by identity-oriented guidance such as the OWASP Non-Human Identity Top 10, especially when a device or token acts as an access bearer.

The risk becomes acute after a termination, theft, or security incident, when organisations discover that a badge, key, or card still opens something important. Organisations typically encounter access compromise only after a loss or insider event, at which point physical access device governance becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA Identifies access control as a core security governance outcome.
NIST SP 800-53 Rev 5 IA-5 Covers authenticator management for credentials used in access decisions.
NIST SP 800-63 AAL2 Supports credential assurance thinking where a device backs an access decision.
OWASP Non-Human Identity Top 10 Non-human credential lifecycle patterns map well to issued physical access devices.
NIST Zero Trust (SP 800-207) SC Zero trust demands continuous verification beyond possession of a credential.

Treat physical badges and keys as access controls with defined issuance, review, and revocation processes.