Envoy
The State of Physical Security & Compliance•2026 Research Report

They think they’re protected. A stranger already walked in.

Two independent 2026 studies of 1,076 security, compliance, IT, and facilities leaders, from ordinary enterprises to the most sensitive labs in the country, reach the same uncomfortable conclusion: the systems meant to control physical access have no shared memory, and confidence has outrun coverage.

71%
of enterprises give contractors no single identity across their sites
92%
of sensitive-workspace orgs miss at least one physical-security basic
44%
cannot confidently say who was in their building yesterday
62%
are sure they’d pass an audit today, yet most had an incident
The big picture

Two studies, the same open door

The average enterprise has automated its visitor logs, hired a security team, and passed its audits. It still cannot tell you, with confidence, who was in its buildings yesterday. That gap, between how secure these organizations feel and how secure they can prove they are, is the subject of this report.

We ran two independent surveys in 2026, and they were designed to tell different stories. One looked at the tooling and compliance machinery of the broad enterprise. The other looked at the threats facing the most sensitive workspaces in the country: frontier AI labs, defense-tech firms, biotech and medical-device R&D. We expected two reports. The data gave us one.

In both, the same structural failure appears. The systems meant to control physical access have no shared memory. A contractor who belongs is recognized in one building and a stranger in the next. 71% of enterprises in the compliance study do not give contractors a single identity that follows them across sites. Most organizations had a real incident this year. And confidence in these programs runs well ahead of what they can actually prove.

Throughout, every figure is tagged with the study it came from. The two datasets are analyzed separately and compared, never merged into one blended number. Where they rhyme, and they rhyme often, it is because two different samples answered two different instruments and pointed the same direction. That is the strongest evidence a research program can offer.

Sophisticated cyber posture, 1990s-era physical posture. The confidence is real. The coverage isn’t. And someone already walked past the whiteboard.
The confidence gap

They feel secure. The controls tell another story.

Ask the leaders doing the most sensitive work in the world whether their program would stop an intruder, and most say yes. Ask what is actually instrumented behind that confidence, and the number drops. A net 58% believe their program would prevent unauthorized physical access, yet only 52% have badge control on sensitive doors and only 47% escort visitors at all times.

The belief is running ahead of the build. And confidence is not universal. The same question that produces a 58% majority also leaves 42% who will not say their program would stop an intruder, including 35% who actively doubt it. The picture splits two ways: a slight majority who feel protected but have not built the controls to be, and a large minority who already know they are exposed.

Sensitive-workspace study · n=294
Chart 1.1
What lab and R&D leaders believe about their own program
Thinking about your organization’s overall physical security program for sensitive areas, to what extent do you agree with each of the following? (net agree, strongly + somewhat)

Look at what these organizations have actually put in place and the confidence looks generous. Badge or key-card control on sensitive doors, the single most basic instrument, is present at just over half. Escorting visitors, capturing a government ID, revoking a terminated employee’s access within a day: each is a coin flip. A single visitor record that persists across all sites, the thing that would let identity follow a person, exists at barely a quarter.

Sensitive-workspace study · n=294
Chart 1.2
What they’ve actually built
Which of the following are currently part of your physical security program for sensitive areas? Select all that apply. (multi-select, exceeds 100%)

In fact, 92% are missing at least one of the five physical-security basics for sensitive work. Programs are being graded on intent, not on what is instrumented.

Key Insight · So What

58% believe their program would stop an intruder, but the controls that would make that true are present for only about half. The same pattern holds across every statement we tested: confidence sits above coverage on prevention, on accounting for who was in the building, and on contractor offboarding. Programs are being graded on intent, not on instrumentation.

Accounting for yesterday

Ask who was here yesterday, and 44% can't answer

The cleanest test of a physical security program is a simple one: can you say who was inside yesterday? For 44% of leaders doing some of the most sensitive work across industries, the answer is no. And the lived experience backs it up. Over a third (35%) personally saw someone they didn’t recognize and weren’t sure should be there within the past month, and one in five (19%) still run visitor sign-in on a paper logbook.

Sensitive-workspace study · n=294
Chart 2.1
Can you account for yesterday?
We could tell you exactly who was in our building yesterday. (single-select)

The number is not an abstraction. It is the difference between being able to investigate an incident and not. When 44% cannot reconstruct a single day, the ability to prove who touched what, or to close a gap they cannot see, goes with it.

Sensitive-workspace study · n=294
Chart 2.2
When they last saw a stranger inside
When was the last time you personally saw someone in your workplace you didn’t recognize and weren’t sure should have been there? (single-select)

More than half of these leaders saw an unrecognized person inside within the past three months. This is a regular occurrence, not a rare one.

Key Insight · So What

If you can’t reconstruct yesterday, you can’t investigate an incident, prove who touched what, or close a gap you can’t see. Nearly half of these leaders are in that position, and many are relying on a paper log that walks out the door with whoever signed it.

When access fails

The stranger didn't stop at the lobby

The unrecognized people aren’t staying in the lobby. Two in five (39%) leaders have personally seen a visitor or contractor reach a restricted physical area, and a fourth (28%) have seen someone view or photograph work-in-progress on whiteboards, screens, or prototypes. Unauthorized people ending up where they shouldn’t be is a regular occurrence, not a rare one.

Sensitive-workspace study · n=294
Chart 3.1
What leaders have personally witnessed
In the past year, have you witnessed a visitor or contractor doing any of the following? Select all that apply. (multi-select)
A contractor that was no longer employed accessed employee areas.Sensitive-workspace study respondent

Ask how often it happens and the frequency is striking. Four in five leaders (79%) report at least one unauthorized-access incident in the past year. Only 21% say it never happened.

Sensitive-workspace study · n=294
Chart 3.2
How often strangers end up inside
How many times have unauthorized or unverified people ended up in workspaces where they shouldn’t be, in the last year? (single-select)
Key Insight · So What

Four in five leaders report at least one unauthorized-access incident in the past year, and only 21% say it never happened. A stranger who reaches a whiteboard or an unattended workstation has, in effect, reached the work itself. This is the gap from Chapter One, made physical.

The missing identity layer

One person, ten front doors, no shared memory

If the sensitive-workspace study showed the sharpest edge of this problem, the compliance study shows its breadth. Among 782 enterprise leaders in physical security, compliance, IT, and facilities, the identical structural gap appears: identity does not persist across sites. 71% do not give contractors a single identity across all their locations. In the sensitive-workspace study, asked a different way in a different sample, 72% do not keep a single visitor record that persists across sites. The two figures land one point apart.

Compliance · n=782 Sensitive-workspace · n=294
Chart 4.1
The same gap in both studies: no identity that follows a person
Share of organizations with no persistent identity or visitor record across all their sites, measured in each study

The two studies used different instruments and never share a respondent, so the near-match is not an artifact of pooling. It is two independent samples describing the same missing layer. The rest of this chapter stays inside the compliance study, where the larger sample lets us see exactly where the gap concentrates.

Compliance study · n=782
Chart 4.2
How contractors are recognized across sites
When contractors return to a different site, are they recognized as the same person? (single-select)

The gap is deepest where the most third parties move through the building. Healthcare gives contractors a single identity just 22% of the time and manufacturing 26%, against financial services at 31%. No industry clears one in three.

Compliance study · n=782
Chart 4.3
One identity across sites, by industry
Share giving contractors a single persistent identity everywhere, by industry

Scale, which you might expect to help, barely does. The largest estates consolidate slightly, but even at twenty or more sites a strong majority still cannot give a contractor one identity.

Compliance study · n=782
Chart 4.4
Identity continuity barely improves with scale
Share giving contractors one identity across all sites, by number of sites

The reason is sprawl. 74% of enterprises run two or more visitor-management systems and 46% run six or more. Each site, each acquisition, each lobby brought its own tool, and nobody ever connected them.

Compliance study · n=782
Chart 4.5
Most enterprises run many visitor systems at once
How many visitor management systems does your organization operate across all sites? (single-select)
Key Insight · So What

A stack that can’t see itself can’t remember a person. 71% of enterprises have no shared identity layer, and the sprawl that causes it is structural: it appears the moment an organization has more than one site and never resolves on its own. Every downstream failure, the incidents, the audit scramble, the wasted hours, follows from this single fact.

Incidents everywhere

When no one system remembers, the wrong people walk in

The consequence is not hypothetical in the broad enterprise either. 68% of compliance-study organizations had a real physical-security incident in the past year, and in the sensitive-workspace study 78% had an unauthorized person reach a restricted area. Different question, different sample, the same verdict: most organizations had a breach of some kind this year.

Compliance · n=782 Sensitive-workspace · n=294
Chart 5.1
Most organizations had an incident this year, in both studies
Share reporting at least one incident or unauthorized entry in the past year, measured in each study

High security does not buy safety. The frontier AI labs and defense-tech firms in the sensitive-workspace study report incidents at rates even with, or above, the ordinary offices in the compliance study. The sensitivity of what an organization protects does not change the outcome when the identity layer underneath is missing.

Inside the compliance study, the specific failures cluster around exactly the seam the missing identity layer leaves open: visitors not properly signed in, people who could not be verified at check-in, former contractors who kept access after their work ended.

Compliance study · n=782
Chart 5.2
What went wrong in the past year
In the past year, has your organization experienced any of the following? (multi-select, top incident types)

That last failure, access that outlives the engagement, shows up at nearly the same rate in both studies. A third of compliance-study organizations logged it as an incident, and a nearly identical share of sensitive-workspace leaders are not confident a departed contractor loses access at all.

Compliance · n=782 Sensitive-workspace · n=294
Chart 5.3
Departed contractors keep access in both populations
Share reporting retained access by a former contractor or employee, measured in each study
Key Insight · So What

Two studies, two populations, the same result: most organizations had a real incident this year, and the most sensitive ones are no safer. The problem is structural, not situational.

The operational tax

The hidden cost of running security by spreadsheet

Between the incidents sits the daily tax, the one that never makes it into a board deck because it is invisible until an auditor asks. When the systems don’t talk, a human has to be the integration layer. Pulling access logs in a normal week means reconciling six or more separate systems for 49% of enterprises.

Compliance study · n=782
Chart 6.1
Systems a team must check just to pull access logs
How many separate systems must your team check to pull physical access logs in a normal week? (single-select)

That reconciliation costs real hours. 56% of teams lose six hours a week or more to manual physical-security tracking, before an audit even begins. During an active audit, the burden spikes.

Compliance study · n=782
Chart 6.2
Hours per week lost to manual tracking
Roughly how many hours per week does your team spend on manual physical-security tracking? (single-select)
Protocol is to immediately shut down the building, lock all exits and entries, and perform head count, badge count, and screen each employee in the building in each room.Sensitive-workspace study respondent, on responding to an intruder

The pain of audit prep is not the paperwork itself. It is the scramble to assemble evidence that lives in too many places at once.

Compliance study · n=782
Chart 6.3
The biggest pain in preparing for an audit
What challenges do you experience when preparing for a physical security audit? (multi-select)
Key Insight · So What

Some of that “system” is paper and pen, with someone typing the day’s sign-in sheet into a spreadsheet at the end of a shift. It holds up until that person is out, or the volume spikes, or an auditor asks for a record that was never written down.

Confidence vs. evidence

The blind spot hiding behind the confidence

Here is the part that doesn’t add up. The same leaders watching strangers walk through their buildings are confident those buildings are secure. In the sensitive-workspace study, 58% believe their program would stop an unauthorized person and 83% say their physical-cyber budget balance is about right. In the compliance study, 62% are sure they could pass an audit today with no preparation, even as most had an incident. The witnessed reality and the stated confidence point in opposite directions.

Compliance · n=782 Sensitive-workspace · n=294
Chart 7.1
Confidence runs high in both studies
Share expressing confidence in their program, across the two studies

In the compliance study, confidence is highest exactly where exposure should worry leaders most or least in inverse. Single-site organizations, with the least to reconcile, are the most confident. The moment a second site opens, confidence dips, precisely where multi-site fragmentation first appears.

Compliance study · n=782
Chart 7.2
Audit confidence is highest at single-site orgs, then dips
Share very confident they could pass an audit today with no prep, by number of sites

Ask the specific questions and the confidence thins further. 44% of sensitive-workspace leaders cannot say who was in their building yesterday. Yet 83% still say their budget balance is about right and only 12% admit they underinvest in physical security.

Sensitive-workspace study · n=294
Chart 7.3
Where the worry concentrates
How concerned are you about each of the following physical security threats? (very + somewhat concerned)

Physical and cyber teams “coordinate closely” at 82% of compliance-study organizations, yet the physical side still runs blind. The threats leaders rank highest, insiders and unsupervised contractors, are the ones their controls handle weakest.

Key Insight · So What

The confidence splits two ways, and neither half is reassuring. A slight majority believe their program would stop an intruder, and the coverage data says most of them shouldn’t. The rest already doubt it. Cyber posture is funded for the threats leaders fear. Physical posture is funded for the threats they used to fear.

What's at stake

The open door sits right in front of the crown jewels

This gap would matter anywhere. It matters most here, where teams are developing the most sensitive work in the world. When we asked what these leaders most fear losing, AI models and training data top the list, narrowly ahead of client data and proprietary research. No single asset dominates, which means the physical program has to defend a wide front.

Sensitive-workspace study · n=294
Chart 8.1
What leaders fear losing first
Which types of IP are you most concerned about protecting? (share ranking each #1)

And the worry runs inward. Two-thirds are concerned about contractors in spaces unsupervised and about insiders exposing information, whether by intent or by mistake. These are precisely the threats a shared identity layer is built to catch, and precisely the ones today’s disconnected stack misses.

Key Insight · So What

67% are concerned about insiders intentionally exposing information and 66% about contractors accessing spaces unsupervised, yet under half revoke terminated-employee access within 24 hours. The threats leaders rank highest are the ones their controls handle weakest. The gap sits directly in front of model weights, customer records, and research methods.

The real barrier

The barrier was never budget. It's visibility.

The reason the gap persists isn’t cost. When we asked sensitive-workspace leaders why missing controls weren’t in place, the runaway answer was that they had considered them and never prioritized them: 58% said so, nearly three times the share who cited expense. Another 9% didn’t know the more advanced capabilities were an option at all.

Sensitive-workspace study · n=294
Chart 9.1
Why the gaps stay open: prioritization, not price
Why haven’t you implemented the solutions you didn’t select? Select all that apply. (multi-select)

The compliance study reaches the same conclusion from a different angle. When those leaders rank what’s blocking better physical security, complexity of compliance requirements tops the list at 39%, above budget constraints at 32%. The barrier is not the checkbook.

Compliance study · n=782
Chart 9.2
What’s blocking better security: complexity leads budget
What’s getting in the way of improving physical security? (share ranking each in their top two)

Asked what they actually need, teams point straight at the missing layer: real-time visibility into who’s on-site, integration between physical and cyber, and a single identity that persists across sites. The conviction is already there.

Compliance study · n=782
Chart 9.3
What teams say they need most
What physical security capabilities does your organization need most? (share ranking each in their top two)
Key Insight · So What

The case for action is already made inside these organizations. The blocker is prioritization and complexity, not conviction or money. Across seven advanced controls in the sensitive-workspace study, 13 to 16% of leaders didn’t even know the capability existed. You can’t prioritize what you don’t know to ask for.

Close the gap

Know who is in your building.

The conviction is already there. The fix is connecting the front door, not spending more: one visitor record, modern sign-in, watchlist screening, and access that ends the moment someone leaves. Envoy protects the places the world relies on most. Let’s start with yours.

Talk to Envoy →

Methodology

This report draws on two independent surveys Envoy commissioned in 2026, analyzed separately and compared rather than pooled. Where both asked a comparable question, the two figures are shown side by side and never combined into a single blended number.

The State of Physical Compliance study surveyed 782 US-based enterprise leaders in physical security, compliance and GRC, IT security, and facilities, fielded June 2–30, 2026. Respondents were Director level or above at organizations with 1,000+ employees operating multiple physical sites, and were the primary decision maker for or a significant influence on physical security tools, vendors, or compliance programs. Cross-tabs are available by team, accountability, industry, company size, and number of sites.

The Sensitive-Workspace Threat study surveyed 294 Director-and-above leaders at US organizations operating labs, R&D, and other high-sensitivity facilities, including frontier and applied AI, defense and national-security technology, and medical-device and pre-clinical research, using a guided interview format provided by Gather. This study segments by research domain rather than industry.

782
Compliance study leaders
294
Sensitive-workspace leaders
June 2026
Fieldwork window
US
Director-and-above, multi-site

Sensitive-workspace respondents: Frontier AI 41% · Applied AI 35% · Defense tech 9% · Medical device R&D 7% · Pre-clinical / gene 4% · Other R&D 4%. Seniority: C-level 53% · Director 29% · VP/Head 13% · other 5%.

Percentages reflect unique respondents who selected each option, rounded to whole numbers. Multi-select and ranking questions can sum above 100% and are labeled accordingly; single-select breakdowns sum to 100% within rounding. Net-agree and net-concerned figures combine the top two response options. All numbers trace to the structured survey data. Research powered by Gather.

0