Physical access governance is now an identity security problem

At a glance

What this is: This article argues that physical access control should be governed as part of identity security, with badge access validated against HR, role and site data.

Why it matters: It matters because stale or inherited physical access can undermine both human IAM lifecycle controls and the broader governance model that security teams already apply to digital identities.

👉 Read Gathid's analysis of physical access governance as an identity security problem

Context

Physical access governance fails when badge permissions are managed separately from the identity records that define employment status, role and site authorization. In high-risk environments, that separation creates a blind spot because a person can remain authorised to enter sensitive areas long after their business need has changed.

The core problem is not door hardware. It is identity drift across HR, IAM and physical security systems, where access can be copied, inherited or left untouched without a reliable validation layer. That makes physical access a governance issue for CISOs, IAM leaders and OT security teams, not only for facilities managers.

Key questions

Q: How should organisations govern physical access as part of IAM?

A: Organisations should treat badge and door access as governed identity data, not a separate facilities record. That means linking physical entitlements to HR status, role and location, then recertifying them through the same lifecycle controls used for high-risk digital access. Without authoritative reconciliation, physical access becomes impossible to prove or defend.

Q: Why does copied badge access create security risk?

A: Copied badge access creates risk because it propagates privilege based on convenience rather than need. When one person’s access is used as a template for others, the new entitlements often outlive the role that justified them. In physical environments, that can expose executive suites, labs or control areas to people who never needed that access.

Q: How can security teams tell if physical access governance is working?

A: They should look for matching records across badge systems, HR and directory sources, low rates of orphaned access, and clear ownership for every high-risk zone. If teams cannot explain why a person still has access, or cannot trace that access back to an approved role, governance is not working.

Q: Who should own physical access recertification?

A: Ownership should sit with the business and site leaders who understand operational need, with security enforcing the control and HR providing the authoritative employment signal. That split keeps recertification tied to real-world job function rather than leaving it as an administrative task inside facilities or IT.

Technical breakdown

Why physical access becomes an identity data problem

Physical access systems store badge permissions, zone entitlements and door-level rules, but those records only become trustworthy when they are continuously reconciled with authoritative identity sources. When HR, directory and facility systems are disconnected, access decisions are based on stale context rather than current employment status or role. The result is not just excess access. It is a weak assurance chain where no team can prove who should still enter a controlled space. Practical implication: treat physical access as governed identity data, not a standalone facilities record.

Practical implication: build reconciliation between badge systems, HR and directory sources before relying on access reports.

How inherited badge access creates overprivilege

The article’s example shows a common failure pattern: access gets copied from one person to another because it is easier than assigning a role-specific entitlement. That creates inherited privilege, where a new worker receives access because they were grouped with someone else, not because their job requires it. In physical environments, this is amplified by nested zones, shared entrances and local exceptions that accumulate over time. Practical implication: model badge entitlements by role and location, then flag copied permissions and unused access paths.

Practical implication: detect copied entitlements and inherited zone access as a first-class governance defect.

Why physical security behaves like OT governance

Physical security platforms often operate like operational technology: separate teams manage them, change cycles are slow, and access lists are rarely reviewed with the same discipline as digital identities. That is why orphaned access, overprovisioning and missing ownership persist for years. The governance failure is not the absence of a badge reader. It is the absence of lifecycle control over a system that affects safety, compliance and insider risk. Practical implication: bring physical access into the same recertification and ownership model used for other high-risk identity assets.

Practical implication: extend lifecycle governance, ownership and recertification to physical access control systems.

NHI Mgmt Group analysis

Physical access is a human identity governance problem with physical consequences. The article is right to collapse the false separation between building security and IAM. If employment status, role changes and site entitlements are not reconciled, then badge governance becomes a lifecycle failure rather than a controls issue. The implication is that physical access must be governed with the same rigor as joiner-mover-leaver processes.

Inherited badge access creates a durable overprivilege pattern, not a one-off mistake. The Jessica example shows how access can propagate through informal copying instead of policy-based assignment. That pattern is familiar in human IAM, but the physical domain makes it harder to detect because the evidence is dispersed across facilities systems. The implication is that copied entitlements should be treated as a governance defect, not an administrative shortcut.

Unvalidated physical access is a standing trust assumption that no board should accept. The article surfaces the assumption that a valid employment record implies valid physical access. That assumption fails when site entitlements are decoupled from role and location data, because people can retain access after a move or leave. The implication is that assurance requires continuous reconciliation, not periodic confidence statements.

Physical security systems need lifecycle governance, not just operational administration. The article describes a set-and-forget model that leaves access untouched for years. That is a classic lifecycle breakdown: no ownership, no meaningful recertification and no reliable offboarding. The implication is that security leaders should treat badge data as governed identity inventory, not as a facilities-only database.

Identity blast radius: access copied across roles and sites turns a single stale badge into a multi-facility exposure. The issue is not just whether one person should enter one room. Once permissions are inherited across regions, local exceptions compound and the effective blast radius expands. The implication is that practitioners need visibility into privilege propagation across physical zones, not just badge issuance counts.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
• For a broader governance baseline, see Ultimate Guide to NHIs, Lifecycle Processes for Managing NHIs for lifecycle controls that map cleanly to physical access recertification.

What this signals

Physical access governance will increasingly converge with identity lifecycle control. As more organisations connect badge systems to HR and directory records, the practical question is no longer whether access exists, but whether it can be continuously justified. Teams that already manage joiner-mover-leaver workflows should expect the same audit logic to reach buildings, labs and control rooms.

The governance signal is clear: the physical layer is becoming another identity perimeter, and the weakest link is usually not the lock. It is the inherited, stale or unowned entitlement that survives role changes, which means access reviews must expand beyond digital systems.

For practitioners building a programme baseline, the right reference point is the Ultimate Guide to NHIs alongside the NIST Cybersecurity Framework 2.0. The operational pattern is the same: identify where access lives, prove who owns it, and remove anything that cannot be justified.

For practitioners

• Correlate physical access with authoritative identity sources Join badge records to HR status, role, department and location data, then flag any badge that does not match current employment context.
• Eliminate copied and inherited permissions Review whether access was assigned because of role need or because it was cloned from another user, then remove inherited zone access that lacks a documented business basis.
• Build recertification into physical access governance Apply scheduled entitlement reviews to building, floor, lab and control-room access, with site owners accountable for validating exceptions and stale badges.
• Map high-risk physical zones to business roles Define which roles may enter executive suites, labs, plant rooms and control centres, then compare actual badge rights against those role definitions.

Key takeaways

• Physical access is an identity governance issue when badge rights can outlive employment status or role changes.
• Inherited and copied badge entitlements create hidden overprivilege across sensitive sites, especially when systems are not reconciled with authoritative records.
• Security teams should fold physical access into lifecycle governance, recertification and ownership models instead of treating it as a facilities-only problem.

Key terms

• Physical Access Governance: The discipline of controlling who may enter a building, zone or restricted area using authoritative identity data, role context and review processes. It treats badges, doors and turnstiles as governed access assets rather than isolated facilities tools, with lifecycle controls that prevent stale or copied access from persisting.
• Inherited Access: Access that is assigned by copying another person’s entitlement set instead of validating the new user’s actual need. In physical security, inherited access is risky because it quietly expands privilege across floors, labs or sites without a fresh approval basis or a reliable review trail.
• Authoritative Identity Source: A system of record that defines a person’s current employment status, role and organisational context. Physical access governance depends on it because badge permissions are only trustworthy when they are reconciled back to source-of-truth identity data rather than left to drift inside facilities systems.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Gathid: Physical access governance is now an identity security problem. Read the original.