By NHI Mgmt Group Editorial TeamPublished 2026-04-21Domain: Governance & RiskSource: AlertEnterprise

TL;DR: Mobile credentials are being positioned as a governance and user-experience lever for large physical access programmes, with the source highlighting examples such as $90M in annual savings and large-scale bank deployments. The real issue is not the credential form factor alone, but whether identity, access lifecycle, and cardholder governance are coherent enough to support it.


At a glance

What this is: This is a case-study roundup about mobile credentials and physical identity access management, with a focus on governance, scale, and operational efficiency.

Why it matters: It matters because physical access programmes still depend on identity lifecycle discipline, and the same governance gaps that affect IAM and NHI control quality also show up in badge, visitor, and cardholder management.

By the numbers:

  • Mobile credentials that delivered $90M in annual savings show how access modernisation can produce measurable business impact at scale.
  • One of the United States’ leading banks secures more than 300 buildings, supports 40,000+ active cardholders, and manages 75,000 annual card access requests.
  • A leading energy provider has served 15 million people across 50,000 square miles for more than 130 years, underscoring the scale of physical access governance.

👉 Read AlertEnterprise's case study on mobile credentials and PIAM governance


Context

Mobile credentials matter because physical access governance still depends on the same underlying identity discipline as digital access: lifecycle control, entitlement accuracy, and revocation when roles change. In large organisations, the challenge is less about whether a credential can be issued on a phone and more about whether the access programme can manage it at scale without losing oversight.

The source frames mobile credentials as part of broader security convergence rather than a stand-alone convenience feature. For IAM, IGA, and PAM teams, that means the relevant question is whether physical identity data, access approvals, and downstream governance processes are aligned enough to support modern access models.

Across the examples cited, the common pattern is not novelty but operational scale. These programmes are typical of organisations that have outgrown manual, siloed physical access administration and need tighter identity governance to reduce friction without weakening control.


Key questions

Q: How should organisations govern mobile credentials in physical access programmes?

A: Govern mobile credentials through the same lifecycle controls used for other access types. Tie issuance and revocation to authoritative identity records, require explicit approval for exceptions, and ensure access reviews cover mobile, badge, and temporary credentials together. The key is not the credential format but whether the governance workflow is complete and auditable.

Q: Why do mobile credentials create governance challenges at scale?

A: They create governance challenges when access records, approval workflows, and revocation processes are fragmented across sites or systems. Scale increases the chance of orphaned access, delayed offboarding, and inconsistent policy enforcement. Mobile credentials work best when physical access administration is managed as an identity lifecycle process rather than a local facilities task.

Q: What do security teams get wrong about physical access modernisation?

A: Teams often focus on convenience and user experience before confirming that entitlement governance is reliable. That can leave legacy badges, temporary passes, and mobile credentials governed by different rules. The result is inconsistent enforcement and weak auditability, even when the technology itself performs well.

Q: How can teams tell whether their physical access controls are actually working?

A: Look for revocation completion, access review closure, orphaned credential rates, and exception volume. If those metrics are not improving, the programme may be modernising the front end while leaving governance unchanged. Effective physical access control should reduce manual follow-up and make accountability easier to prove.


Technical breakdown

How mobile credentials change physical identity access management

Mobile credentials replace or supplement plastic badges with identity assertions delivered through a handset, but the governance model behind them is what determines security. The credential still needs issuance, binding to a person or role, revocation, and auditability. If those controls remain weak, the delivery form factor changes but the risk profile does not. For large environments, mobile access also introduces device trust, enrolment assurance, and exception handling requirements that must be integrated with identity records and access policy.

Practical implication: treat mobile credentials as an access lifecycle problem, not a technology swap.

Cardholder governance and lifecycle control at scale

Physical access becomes harder to govern as the number of buildings, cardholders, and requests grows. Cardholder lifecycle management has to track joiners, movers, and leavers, plus temporary access and visitor flows. When approvals, revocations, and recertifications are spread across multiple systems, the programme accumulates orphaned access and slow offboarding. That is the same failure mode seen in broader identity governance, just applied to doors and facilities rather than cloud accounts.

Practical implication: centralise joiner-mover-leaver controls for physical access so revocation and review are consistent across sites.

Why security convergence matters for physical access programmes

Security convergence means physical identity, digital identity, and governance processes are managed together rather than as separate silos. In practice, this helps organisations connect access approvals, asset or location policies, visitor management, and audit evidence in one model. The advantage is not only efficiency. It is also better control visibility, fewer duplicate records, and clearer accountability when access decisions are challenged. For enterprise environments, convergence is the difference between managing credentials and managing trust.

Practical implication: align physical access workflows with the same governance and audit standards used for IAM and IGA.


NHI Mgmt Group analysis

Mobile credentials are only as secure as the identity lifecycle behind them. The source positions mobile access as a governance improvement, but the underlying control question is whether issuance, revocation, and access review are actually tied to a reliable identity source of truth. Without that, mobile credentials simply move the same governance weaknesses from a badge to a phone. Practitioners should evaluate the lifecycle model before they evaluate the user experience.

Physical access scale creates the same governance pressure seen in digital identity sprawl. Hundreds of buildings, tens of thousands of cardholders, and large request volumes create entitlement drift if approvals and removals are not centralised. That is not a facilities-only problem. It is an identity governance problem that belongs in the same operating model as IAM and IGA. Practitioners should measure physical access with the same discipline they apply to privileged digital access.

Security convergence is the right frame, but only if governance is real rather than cosmetic. Bringing people, processes, data, and technology together only matters when it produces consistent policy enforcement and audit evidence. Otherwise, convergence becomes a reporting layer over fragmented controls. The field should stop treating mobile credentials as a point solution and start treating them as part of a unified identity governance architecture.

Access modernisation is now a control design problem, not a convenience project. The savings figures in the source show that large organisations are already linking access change to measurable outcomes. That shifts the practitioner question from whether mobile credentials are usable to whether the surrounding controls can support them at enterprise scale. Teams should use this as a trigger to reassess physical identity governance maturity.

From our research:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% only partial visibility.
  • That visibility gap points directly to the next governance question in 52 NHI Breaches Analysis: where access exists, who can prove it should still be there?

What this signals

Physical access modernisation will increasingly be judged by governance evidence, not interface quality. Organisations are moving toward access models that blend mobile credentials, badge systems, and visitor management, but the control test is unchanged: can the programme prove who has access, why, and for how long? If not, the modernisation project will only repackage administrative debt.

Access lifecycle convergence is the real operational prize. The best programmes will stop separating physical access from IAM and treat both as governed entitlements with explicit approval, review, and revocation paths. That shift will matter most in large estates where manual exception handling has become the hidden source of risk.

Identity governance teams should expect physical access to enter the same board-level control conversation as digital access. As programmes scale, the metric that matters is not adoption of mobile credentials but whether entitlement drift, orphaned access, and audit effort are falling over time.


For practitioners

  • Map physical access to the identity source of truth Ensure cardholder and mobile credential records are linked to authoritative HR, contractor, or visitor data so joiner, mover, and leaver events update access automatically. Separate exceptions should require explicit approval and be time bound.
  • Unify revocation across mobile and badge credentials Design a single offboarding workflow that removes all physical access entitlements at the same time, including mobile credentials, legacy badges, temporary passes, and location-specific permissions.
  • Review physical access with the same cadence as IAM Include buildings, cardholder groups, and high-risk locations in periodic access reviews so entitlement drift is visible before it becomes operational debt. Use review evidence to validate policy enforcement, not just attendance.
  • Measure governance outcomes, not adoption alone Track request volume, approval latency, revoked-access completion, and orphaned credential counts to determine whether modern access tooling is improving control or simply improving convenience.

Key takeaways

  • Mobile credentials do not solve access governance on their own.** The control problem remains lifecycle management, entitlement accuracy, and auditable revocation.
  • Large physical access environments create the same drift problems seen in IAM and NHI programmes.** Scale exposes weak approval flow, poor offboarding, and inconsistent review.
  • The practical win comes from convergence.** Physical access, IAM, and governance processes should be managed through one control model rather than separate operational silos.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-4Access permissions and revocation are central to physical credential governance.
NIST SP 800-53 Rev 5AC-2Account management applies to cardholder and mobile credential lifecycle control.
NIST Zero Trust (SP 800-207)Zero Trust thinking reinforces continuous verification of access entitlement.
ISO/IEC 27001:2022A.5.15Access control policy governs how physical and identity access should be authorised.

Map physical access workflows to PR.AC-4 and verify entitlement changes are enforced across all sites.


Key terms

  • Mobile Credential: A mobile credential is a digital access token delivered to a handset instead of a plastic badge. In governance terms, it is still an identity-bound entitlement that must be issued, monitored, and revoked through the same lifecycle controls as any other physical access credential.
  • Physical Identity Access Management: Physical Identity Access Management is the discipline of controlling who can enter buildings, spaces, and facilities through governed identity processes. It links access decisions to authoritative records, approvals, recertification, and revocation so physical access can be audited with the same discipline as digital access.
  • Security Convergence: Security convergence is the integration of physical security, identity governance, and operational policy into one control model. The aim is not just efficiency. It is to make access decisions consistent, traceable, and easier to prove across systems that were historically managed apart.

What's in the full article

AlertEnterprise's full case study covers the operational detail this post intentionally leaves for the source:

  • Implementation context behind the mobile credential deployment and why the organisation changed its access model.
  • The specific governance and user-experience outcomes attributed to the programme, including the reported savings figure.
  • Example deployment patterns for large, distributed estates that need to support thousands of cardholders and access requests.
  • How the case study frames physical identity and security convergence for enterprise teams.

👉 AlertEnterprise's full case study covers the access model, governance outcomes, and deployment context.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-04-21.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org