Mike Margrain, Technical Director APAC & IMEA, Gallagher Security explores how a new era of access models and governance cut friction, boost compliance and transform security into a true business enabler.
For decades, the role of physical security has been clearly defined: Prevent unauthorised access and protect people, assets and facilities.
That core responsibility has not changed. What has changed is the environment in which physical security now operates and the expectations placed upon it.
Hybrid work models, contractor-heavy organisations and increasingly mobile workforces are among the norm rather than the exception.
At the same time, regulatory scrutiny continues to intensify, particularly in sectors responsible for sensitive data, critical infrastructure and public safety.
Together, these forces put pressure on access models designed for a more static world.
In regulated and safety-critical environments, this pressure extends beyond efficiency.
When access decisions are made informally or without clear separation of responsibilities, organisations risk granting access without the appropriate operational or safety oversight, increasing exposure to both compliance failures and real-world harm.
It’s important to acknowledge that physical access cards remain a central part of security operations across most organisations.
They’re familiar, reliable and deeply embedded in existing processes and infrastructure.
The challenge facing security leaders is not to abandon cards altogether, but to recognise that the way access is granted, managed and governed must evolve alongside the modern workplace.
Access today is no longer a one-time permission assigned and forgotten.
It’s an operational workflow that intersects with people, productivity, compliance and risk. Increasingly, how well that workflow functions determines whether physical security acts as a facilitator of work or a source of friction.
The hidden cost of manual access management
In many organisations, access management remains surprisingly manual. Requests are submitted through email, tracked in spreadsheets and approved through informal chains of authority.
Security teams often find themselves acting as human gatekeepers, interpreting requests, chasing approvals, issuing credentials and documenting decisions.
While these approaches may appear manageable in smaller or slower-moving environments, their limitations become obvious as organisations scale.
Delays in onboarding are one of the most visible consequences.
New employees, contractors or visitors may arrive on site without the access they need to be productive, creating frustration and lost time.
Credential replacements, whether due to loss or damage, require additional manual intervention, further stretching security resources.
Over time, inconsistent approval processes and undocumented exceptions introduce compliance risk, making audits more difficult and less defensible.
These inefficiencies compound quickly in high-churn or multi-site environments, particularly when institutional knowledge resides with individuals rather than within the system itself.
Why traditional access models are under strain
The root of the problem lies in the fact that many access control models were designed for a different era. They assumed stable workforces, predictable schedules and limited change.
Today’s organisations must accommodate distributed teams, contractors, vendors and visitors, often across multiple locations and time zones, while managing sensitive areas with differing approval rules and regulatory obligations.
Under these conditions, manual decision-making struggles to keep pace. Security leaders are increasingly asked to deliver both speed and assurance, yet rarely receive the additional headcount required to do so. The result is a growing tension between operational demand and security capacity, with access management caught in the middle.
Evolving toward smarter, more adaptive access
In response, many organisations are beginning to rethink how access is managed, even if the credentials themselves remain unchanged.
Mobile credentials can reduce friction by enabling faster provisioning and updates without the need for physical handovers.
For users, this can mean smoother onboarding and fewer disruptions. For security teams, it reduces the volume of routine administrative work.
More significantly, cloud-based access workflows introduce a different operating model. Rather than relying on individuals to interpret and enforce policy on a case-by-case basis, organisations can define approval rules aligned to roles, locations and risk profiles.
Decisions become more consistent, less dependent on individual judgment and easier to audit.
Automation in this context strengthens control rather than weakening it.
Access becomes dynamic rather than static, auditable rather than informal and responsive to operational needs rather than constrained by manual processes.
From operational control to strategic capability
The impact of this shift can be seen across a wide range of industries. In high-churn environments such as education, retail or construction, automated workflows support faster onboarding and timely removal of temporary access.
In high-assurance settings like healthcare, government or data centres, consistent approval processes and strong audit trails support compliance and reduce risk.
For distributed organisations, cloud-based access management enables central visibility without creating central bottlenecks.
Crucially, this evolution does not require organisations to discard their existing access infrastructure. Physical cards, readers and on-site systems will continue to play an important role, particularly where mobile access is not feasible or appropriate.
The real transformation lies in how access decisions are orchestrated and governed.
Access governance in a distributed organisation
As access models become more adaptive, the challenge facing many organisations is no longer about technology capability, but about governance at scale.
Decisions about who can access which spaces, when and under what conditions are increasingly distributed across managers, teams and locations.
Yet in many environments, the responsibility for executing those decisions still sits squarely with security.
This mismatch creates friction. Security teams are left interpreting informal requests, chasing approvals and translating business intent into system changes.
Over time, this approach becomes difficult to sustain.
It slows onboarding, obscures accountability and increases the likelihood that access remains in place longer than intended.
Modern access governance requires a different operating model. Rather than relying on individual judgement and institutional knowledge, organisations need structured workflows that define who is allowed to approve access, what information is required and how long permissions should remain valid.
When these rules are embedded into the process itself, access becomes more consistent and easier to scale across the enterprise.
Turning access policy into practice
Putting this model into action requires tools that can translate policy into day-to-day operations without adding complexity.
Increasingly, organisations are turning to cloud-based platforms that sit alongside their existing access control systems, orchestrating how requests, approvals and provisioning are handled.
Gallagher Security’s AccessNow is one example of this approach. Rather than asking users or approvers to navigate core security systems, it provides a governed, self-service layer where access requests can be submitted, reviewed and approved according to predefined rules.
The result is a process that is faster for users, clearer for approvers and more manageable for security teams.
By shifting routine access decisions to managers and designated approvers while retaining central oversight and auditability, this model reduces administrative burden without sacrificing control.
Access can be granted or revoked in line with real operational needs, supported by consistent workflows and documented decision trails.
Crucially, because AccessNow integrates with existing infrastructure, organisations can adopt these practices without replacing physical cards, readers or controllers.
The underlying access environment remains familiar, but the governance around it becomes more dynamic and resilient.
As the nature of work continues to change, physical access is moving from a gatekeeping function to a strategic capability.
Security leaders have an opportunity to reduce friction while strengthening assurance, supporting the organisation rather than slowing it down.
In this context, the value of physical security lies in how seamlessly it enables people to work – safely, securely and with confidence.
