Physical security keeps solving problems that IT solved years ago

Cybersecurity has solved many of the problems that physical security is still working through. Identity is the clearest example.

In IT, the question of “who is this person and what should they have access to” was answered years ago. Platforms like Okta and Microsoft Entra ID connect HR systems to application access. When someone joins, they get the right permissions. When they leave, access is removed. When their role changes, permissions follow. The process is automatic, auditable, and connected to the source of truth: the HR system.

Physical security has not caught up.

The parallel world

Instead of connecting to what already exists, the physical access industry has built its own identity layer. Separate databases for cardholders. Separate enrolment processes. Separate lifecycle management that rarely talks to HR or IT systems in any structured way.

The result is predictable. Someone leaves the organisation. IT disables their account within hours. Their building access stays active for weeks, sometimes months. Not because anyone decided it should, but because the systems are not connected and nobody triggered the removal.

Mechanical keys make it worse. A key does not expire. It stays in a pocket. It outlives contracts, restructures, and employment. Without a controlled return process, access persists indefinitely.

Why the gap exists

Part of it is technical. Physical access systems were built as closed, on-premise environments with proprietary protocols. Connecting them to anything required custom integration work, and most organisations did not have the budget or the appetite for it.

Part of it is structural. The physical security industry has historically operated in its own lane. The teams that manage locks and access cards are rarely the same teams that manage IT identity. They report to different people, use different tools, follow different processes. The problem is not that identity is unsolved. The problem is that the solution lives in a department that physical security does not typically talk to.

And part of it is commercial. Vendors benefit from selling their own identity management as a feature. If the customer realises their HR system or identity platform could drive physical access decisions, a significant part of the product value disappears.

What changes when you stop reinventing

When physical access connects to the identity sources that already exist, three things happen.

First, access follows organisational changes without manual intervention. Someone moves departments, their physical access updates. Someone’s contract ends, their credentials and keys are flagged for removal. The HR system becomes the trigger, not a facilities manager checking a spreadsheet.

Second, records become complete without extra effort. Every access decision traces back to an organisational event. Auditors can see not just who has access, but why, and when that reason changed. The record builds itself as part of the process, rather than being reconstructed after the fact.

Third, access that should not exist becomes detectable. When the source of truth is connected, you can compare what access exists against what access should exist. The gap becomes visible. And visible gaps can be corrected before they become incidents.

The pattern, not the prediction

This is not speculation about where the industry might go. It is a pattern that has already played out in IT, HR, and finance. Each of those functions went through a period where data lived in silos, processes were manual, and integration felt optional. Then regulatory pressure and operational scale forced convergence.

Physical access is at that inflection point now. NIS2, DORA, and tightening ISO 27001 requirements are making it harder to justify disconnected systems and manual processes. The organisations that connect their physical access to existing identity infrastructure will be the ones that can prove compliance without rebuilding their records every audit cycle.

The technology is not the barrier. The interfaces exist. REST APIs are standard. The barrier is recognising that the problem was already solved, and building the connection instead of the copy.