TL;DR: A North American bank deployed HID Mobile Credentials with Alert Enterprise and CCURE 9000 in 60 days, supporting both corporate devices and BYOD while reinforcing encrypted storage, faster lifecycle management, and enterprise governance across physical access operations. The real lesson is that modern access programmes now live or die on identity lifecycle control, device trust, and operational coordination, not just badge replacement.
NHIMG editorial — based on content published by AlertEnterprise: Case Studies Future-Ready Access in Just 60 Days
Questions worth separating out
Q: How should organisations govern mobile credentials for physical access?
A: Treat mobile credentials as governed identity credentials, not convenience features.
Q: Why do BYOD access programmes need stricter controls than corporate-issued devices?
A: BYOD weakens direct enterprise control over the device that presents the credential.
Q: What breaks when physical access is managed separately from IAM?
A: Access drift becomes inevitable.
Practitioner guidance
- Map physical access into your identity lifecycle model Tie badge, mobile credential, and visitor access changes to joiner-mover-leaver workflows so revocation and role changes propagate without manual intervention.
- Define BYOD assurance thresholds before enrolment Require explicit controls for personal smartphones, including device registration, encryption, screen lock, and remote revocation procedures.
- Align physical access governance with authoritative identity sources Connect PIAM decisions to HR and IAM records so access rights change when employment status, role, or location changes.
What's in the full article
AlertEnterprise's full article covers the implementation detail this post intentionally leaves at the governance level:
- Deployment sequencing from kickoff to 60-day production go-live across access control and device enrolment.
- How CCURE 9000 integration was handled within the existing physical access control environment.
- The phased path into PIAM expansion, including SailPoint-based lifecycle automation.
- The operational framing behind employee onboarding, communications, and adoption in both corporate and BYOD contexts.
👉 Read AlertEnterprise's case study on mobile credentials and physical access modernisation →
Mobile credentials for bank access control: what changed in 60 days?
Explore further
Mobile credentialing is now an identity governance problem, not a facilities upgrade. Once access moves from a badge to a device-bound credential, the control surface shifts into enrolment, revocation, and entitlement governance. The bank’s 60-day rollout shows that speed is possible, but only when governance, operations, and user onboarding are aligned. Practitioners should treat physical access as part of the identity programme, not a separate security island.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to the 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which is why lifecycle discipline matters across every identity class.
A question worth separating out:
Q: Who should own mobile credential governance in an enterprise access programme?
A: Ownership should sit with identity and security governance, not only facilities or operations. Physical access touches HR data, IAM lifecycle, device trust, and audit readiness, so governance needs shared accountability with clear control ownership. That structure is what keeps mobile access aligned with compliance and operational requirements.
👉 Read our full editorial: Mobile credentials and physical access governance in 60 days