Two independent 2026 studies of 1,076 security, compliance, IT, and facilities leaders, from ordinary enterprises to the most sensitive labs in the country, reach the same uncomfortable conclusion: the systems meant to control physical access have no shared memory, and confidence has outrun coverage.
The average enterprise has automated its visitor logs, hired a security team, and passed its audits. It still cannot tell you, with confidence, who was in its buildings yesterday. That gap, between how secure these organizations feel and how secure they can prove they are, is the subject of this report.
We ran two independent surveys in 2026, and they were designed to tell different stories. One looked at the tooling and compliance machinery of the broad enterprise. The other looked at the threats facing the most sensitive workspaces in the country: frontier AI labs, defense-tech firms, biotech and medical-device R&D. We expected two reports. The data gave us one.
In both, the same structural failure appears. The systems meant to control physical access have no shared memory. A contractor who belongs is recognized in one building and a stranger in the next. 71% of enterprises in the compliance study do not give contractors a single identity that follows them across sites. Most organizations had a real incident this year. And confidence in these programs runs well ahead of what they can actually prove.
Throughout, every figure is tagged with the study it came from. The two datasets are analyzed separately and compared, never merged into one blended number. Where they rhyme, and they rhyme often, it is because two different samples answered two different instruments and pointed the same direction. That is the strongest evidence a research program can offer.
Ask the leaders doing the most sensitive work in the world whether their program would stop an intruder, and most say yes. Ask what is actually instrumented behind that confidence, and the number drops. A net 58% believe their program would prevent unauthorized physical access, yet only 52% have badge control on sensitive doors and only 47% escort visitors at all times.
The belief is running ahead of the build. And confidence is not universal. The same question that produces a 58% majority also leaves 42% who will not say their program would stop an intruder, including 35% who actively doubt it. The picture splits two ways: a slight majority who feel protected but have not built the controls to be, and a large minority who already know they are exposed.
Look at what these organizations have actually put in place and the confidence looks generous. Badge or key-card control on sensitive doors, the single most basic instrument, is present at just over half. Escorting visitors, capturing a government ID, revoking a terminated employee’s access within a day: each is a coin flip. A single visitor record that persists across all sites, the thing that would let identity follow a person, exists at barely a quarter.
In fact, 92% are missing at least one of the five physical-security basics for sensitive work. Programs are being graded on intent, not on what is instrumented.
58% believe their program would stop an intruder, but the controls that would make that true are present for only about half. The same pattern holds across every statement we tested: confidence sits above coverage on prevention, on accounting for who was in the building, and on contractor offboarding. Programs are being graded on intent, not on instrumentation.
The cleanest test of a physical security program is a simple one: can you say who was inside yesterday? For 44% of leaders doing some of the most sensitive work across industries, the answer is no. And the lived experience backs it up. Over a third (35%) personally saw someone they didn’t recognize and weren’t sure should be there within the past month, and one in five (19%) still run visitor sign-in on a paper logbook.
The number is not an abstraction. It is the difference between being able to investigate an incident and not. When 44% cannot reconstruct a single day, the ability to prove who touched what, or to close a gap they cannot see, goes with it.
More than half of these leaders saw an unrecognized person inside within the past three months. This is a regular occurrence, not a rare one.
If you can’t reconstruct yesterday, you can’t investigate an incident, prove who touched what, or close a gap you can’t see. Nearly half of these leaders are in that position, and many are relying on a paper log that walks out the door with whoever signed it.
The unrecognized people aren’t staying in the lobby. Two in five (39%) leaders have personally seen a visitor or contractor reach a restricted physical area, and a fourth (28%) have seen someone view or photograph work-in-progress on whiteboards, screens, or prototypes. Unauthorized people ending up where they shouldn’t be is a regular occurrence, not a rare one.
Ask how often it happens and the frequency is striking. Four in five leaders (79%) report at least one unauthorized-access incident in the past year. Only 21% say it never happened.
Four in five leaders report at least one unauthorized-access incident in the past year, and only 21% say it never happened. A stranger who reaches a whiteboard or an unattended workstation has, in effect, reached the work itself. This is the gap from Chapter One, made physical.
If the sensitive-workspace study showed the sharpest edge of this problem, the compliance study shows its breadth. Among 782 enterprise leaders in physical security, compliance, IT, and facilities, the identical structural gap appears: identity does not persist across sites. 71% do not give contractors a single identity across all their locations. In the sensitive-workspace study, asked a different way in a different sample, 72% do not keep a single visitor record that persists across sites. The two figures land one point apart.
The two studies used different instruments and never share a respondent, so the near-match is not an artifact of pooling. It is two independent samples describing the same missing layer. The rest of this chapter stays inside the compliance study, where the larger sample lets us see exactly where the gap concentrates.
The gap is deepest where the most third parties move through the building. Healthcare gives contractors a single identity just 22% of the time and manufacturing 26%, against financial services at 31%. No industry clears one in three.
Scale, which you might expect to help, barely does. The largest estates consolidate slightly, but even at twenty or more sites a strong majority still cannot give a contractor one identity.
The reason is sprawl. 74% of enterprises run two or more visitor-management systems and 46% run six or more. Each site, each acquisition, each lobby brought its own tool, and nobody ever connected them.
A stack that can’t see itself can’t remember a person. 71% of enterprises have no shared identity layer, and the sprawl that causes it is structural: it appears the moment an organization has more than one site and never resolves on its own. Every downstream failure, the incidents, the audit scramble, the wasted hours, follows from this single fact.
The consequence is not hypothetical in the broad enterprise either. 68% of compliance-study organizations had a real physical-security incident in the past year, and in the sensitive-workspace study 78% had an unauthorized person reach a restricted area. Different question, different sample, the same verdict: most organizations had a breach of some kind this year.
High security does not buy safety. The frontier AI labs and defense-tech firms in the sensitive-workspace study report incidents at rates even with, or above, the ordinary offices in the compliance study. The sensitivity of what an organization protects does not change the outcome when the identity layer underneath is missing.
Inside the compliance study, the specific failures cluster around exactly the seam the missing identity layer leaves open: visitors not properly signed in, people who could not be verified at check-in, former contractors who kept access after their work ended.
That last failure, access that outlives the engagement, shows up at nearly the same rate in both studies. A third of compliance-study organizations logged it as an incident, and a nearly identical share of sensitive-workspace leaders are not confident a departed contractor loses access at all.
Two studies, two populations, the same result: most organizations had a real incident this year, and the most sensitive ones are no safer. The problem is structural, not situational.
Between the incidents sits the daily tax, the one that never makes it into a board deck because it is invisible until an auditor asks. When the systems don’t talk, a human has to be the integration layer. Pulling access logs in a normal week means reconciling six or more separate systems for 49% of enterprises.
That reconciliation costs real hours. 56% of teams lose six hours a week or more to manual physical-security tracking, before an audit even begins. During an active audit, the burden spikes.
The pain of audit prep is not the paperwork itself. It is the scramble to assemble evidence that lives in too many places at once.
Some of that “system” is paper and pen, with someone typing the day’s sign-in sheet into a spreadsheet at the end of a shift. It holds up until that person is out, or the volume spikes, or an auditor asks for a record that was never written down.
Here is the part that doesn’t add up. The same leaders watching strangers walk through their buildings are confident those buildings are secure. In the sensitive-workspace study, 58% believe their program would stop an unauthorized person and 83% say their physical-cyber budget balance is about right. In the compliance study, 62% are sure they could pass an audit today with no preparation, even as most had an incident. The witnessed reality and the stated confidence point in opposite directions.
In the compliance study, confidence is highest exactly where exposure should worry leaders most or least in inverse. Single-site organizations, with the least to reconcile, are the most confident. The moment a second site opens, confidence dips, precisely where multi-site fragmentation first appears.
Ask the specific questions and the confidence thins further. 44% of sensitive-workspace leaders cannot say who was in their building yesterday. Yet 83% still say their budget balance is about right and only 12% admit they underinvest in physical security.
Physical and cyber teams “coordinate closely” at 82% of compliance-study organizations, yet the physical side still runs blind. The threats leaders rank highest, insiders and unsupervised contractors, are the ones their controls handle weakest.
The confidence splits two ways, and neither half is reassuring. A slight majority believe their program would stop an intruder, and the coverage data says most of them shouldn’t. The rest already doubt it. Cyber posture is funded for the threats leaders fear. Physical posture is funded for the threats they used to fear.
This gap would matter anywhere. It matters most here, where teams are developing the most sensitive work in the world. When we asked what these leaders most fear losing, AI models and training data top the list, narrowly ahead of client data and proprietary research. No single asset dominates, which means the physical program has to defend a wide front.
And the worry runs inward. Two-thirds are concerned about contractors in spaces unsupervised and about insiders exposing information, whether by intent or by mistake. These are precisely the threats a shared identity layer is built to catch, and precisely the ones today’s disconnected stack misses.
67% are concerned about insiders intentionally exposing information and 66% about contractors accessing spaces unsupervised, yet under half revoke terminated-employee access within 24 hours. The threats leaders rank highest are the ones their controls handle weakest. The gap sits directly in front of model weights, customer records, and research methods.
The reason the gap persists isn’t cost. When we asked sensitive-workspace leaders why missing controls weren’t in place, the runaway answer was that they had considered them and never prioritized them: 58% said so, nearly three times the share who cited expense. Another 9% didn’t know the more advanced capabilities were an option at all.
The compliance study reaches the same conclusion from a different angle. When those leaders rank what’s blocking better physical security, complexity of compliance requirements tops the list at 39%, above budget constraints at 32%. The barrier is not the checkbook.
Asked what they actually need, teams point straight at the missing layer: real-time visibility into who’s on-site, integration between physical and cyber, and a single identity that persists across sites. The conviction is already there.
The case for action is already made inside these organizations. The blocker is prioritization and complexity, not conviction or money. Across seven advanced controls in the sensitive-workspace study, 13 to 16% of leaders didn’t even know the capability existed. You can’t prioritize what you don’t know to ask for.
The conviction is already there. The fix is connecting the front door, not spending more: one visitor record, modern sign-in, watchlist screening, and access that ends the moment someone leaves. Envoy protects the places the world relies on most. Let’s start with yours.
Talk to Envoy →This report draws on two independent surveys Envoy commissioned in 2026, analyzed separately and compared rather than pooled. Where both asked a comparable question, the two figures are shown side by side and never combined into a single blended number.
The State of Physical Compliance study surveyed 782 US-based enterprise leaders in physical security, compliance and GRC, IT security, and facilities, fielded June 2–30, 2026. Respondents were Director level or above at organizations with 1,000+ employees operating multiple physical sites, and were the primary decision maker for or a significant influence on physical security tools, vendors, or compliance programs. Cross-tabs are available by team, accountability, industry, company size, and number of sites.
The Sensitive-Workspace Threat study surveyed 294 Director-and-above leaders at US organizations operating labs, R&D, and other high-sensitivity facilities, including frontier and applied AI, defense and national-security technology, and medical-device and pre-clinical research, using a guided interview format provided by Gather. This study segments by research domain rather than industry.
Sensitive-workspace respondents: Frontier AI 41% · Applied AI 35% · Defense tech 9% · Medical device R&D 7% · Pre-clinical / gene 4% · Other R&D 4%. Seniority: C-level 53% · Director 29% · VP/Head 13% · other 5%.
Percentages reflect unique respondents who selected each option, rounded to whole numbers. Multi-select and ranking questions can sum above 100% and are labeled accordingly; single-select breakdowns sum to 100% within rounding. Net-agree and net-concerned figures combine the top two response options. All numbers trace to the structured survey data. Research powered by Gather.