Every access system we audit tells the same story when you ask it the right question. Not "who came in yesterday", but "which credentials have never been used and never been cancelled". The answer is routinely ten to twenty percent of the badge population: contractors whose projects ended, employees who changed roles twice, vendors whose companies no longer exist. Each one is a working key to your building, held by someone with no current reason to hold it.
Your access system knows who never badged out in 2019. Nobody has asked it.
Identity debt is a physical problem now
IT learned this lesson a decade ago and built joiner-mover-leaver discipline into directories. The doors never got the memo. HR terminates an employee at noon; the network account dies at 12:01; the badge often lives until someone happens to notice. Contractors are worse: their start dates are precise because someone needed them on site, and their end dates are nobody’s job. In colocation and construction-phase estates, badge populations churn faster than any quarterly review most operators run.
The quarterly list
- Reconcile every active credential against a person and a current reason, on a named executive’s signature, four times a year.
- Tie contractor badges to contract end dates at issuance, so expiry is automatic and extension is the exception that needs a human.
- Wire HR leaver events to physical access the way they are wired to the directory: same day, same workflow, no side channel.
- Trend two numbers: dormant-badge rate and time-from-leaver-to-revocation. Both should embarrass someone into fixing the process.
None of this needs new hardware. It is the least glamorous work in physical security, and in our reviews it retires more real risk per euro than any camera upgrade on the same budget line.
We run these reconciliations for estates with heavy churn. One clean quarter changes the culture.