Envoy
ENVOY
Research Report ● June 2026 ● 294 Director-and-Above Respondents

The AI Physical Security Threat Report

We surveyed 294 Director-and-above leaders at AI labs, R&D-heavy companies, biotech, and defense tech to map the gap between cyber-grade IP protection and the physical front door. Sophisticated cyber posture, 1990s-era physical posture.

67.3%
personally saw an unrecognized person in the workplace within the past 6 months
63.3%
witnessed a visitor or contractor doing something they shouldn't in the past year
58.0%
have considered missing security capabilities but never prioritized them
The Headline

The threats leaders worry about most are the same threats employees are personally witnessing in their buildings. Perception and reality are aligned, and the case for action is already made. The blocker is prioritization.

01 The IP at Stake

What AI Leaders Fear Losing First

When we asked leaders to rank the IP they most fear losing, no single category dominates. AI models, customer data, and proprietary research cluster within two points of each other, which means physical security has to defend a wide front.

Survey question: "When you think about IP theft or unauthorized access to sensitive information at your organization, which types of IP are you most concerned about protecting? Please rank up to 3, in order of concern." (Share of respondents ranking each category #1)
A Crowded Field of Crown Jewels
Top-choice rank, n = 294
So What

No single asset class can be ring-fenced. Programs need to assume that AI weights, customer records, research methods, and financials all live in the same buildings and travel through the same doors.

02 Part A · What They're Doing

Part A: What They're Actually Doing

Most programs are built on the basics: a badge reader, a guard, an escort. Roughly half of organizations cover each foundational control, but only about a quarter have stitched their visitor identity together across sites.

Survey question: "Which of the following are currently part of your physical security program for sensitive areas (labs, server rooms, R&D spaces)? Select all that apply." (Multi-select, percentages exceed 100%)
Foundations Are Common, Identity Continuity Is Not
% of respondents selecting each control, n = 294
So What

Half of leaders have badge readers and escorts. Far fewer have the connective layer that makes those controls auditable: only 27.6% maintain a single visitor record across all sites, and only 35.4% govern contractors with the same system as employees.

03 Part B · What They Think It Accomplishes

Part B: The Confidence-Coverage Gap

Leaders rate their programs more highly than the underlying controls justify. A net 58.2% agree their physical security would stop an unauthorized person, yet only 51.7% have badge access on sensitive doors and only 47.3% escort visitors at all times.

Survey question: "Thinking about your organization's overall physical security program for sensitive areas, to what extent do you agree or disagree with each of the following?"
Confidence Outpaces Coverage on Every Statement
Full distribution shown; n = 294
So What

The net agree rates (58.2% on prevention, 55.8% on yesterday's roster, 55.5% on contractor revocation, 52.4% on parity with cyber, 58.5% on tooling fit) sit above the corresponding Part A coverage rates. Programs are graded on intent. They should be graded on what's actually instrumented.

04 Part C · What They Don't Know to Ask For

Part C: The Awareness Gap Headline

For a measurable share of leaders, modern visitor controls aren't on the table because they don't know they exist. Across seven capabilities we asked about, between 12.6% and 15.6% of leaders said they didn't know the option was available.

Survey question: "Have you ever considered any of the following capabilities as part of your physical security program?"
A Quiet Layer of Leaders Who Didn't Know the Option Existed
Full distribution shown; n = 294
Survey question: "Why haven't you implemented the solutions you didn't select? Select all that apply." (Multi-select, percentages exceed 100%)
Why The Gaps Stay Open
% of respondents selecting each reason, n = 293
So What

58.0% have considered the missing capabilities but haven't prioritized them, and another 9.2% didn't know they were an option. The largest barrier isn't cost (20.8%); it's that leaders are stuck at "considered."

Sophisticated cyber posture, 1990s-era physical posture. The threats leaders worry about most are the same threats employees are personally witnessing in their buildings.

05 Witnessed Reality

Witnessed Incidents In The Past Year

This isn't a theoretical risk. 67.3% of leaders personally saw an unrecognized person in their workplace within the past 6 months, and 63.3% witnessed a visitor or contractor doing something they shouldn't in the past year. 77.9% report at least one unauthorized-access incident in the past year.

Survey question: "When was the last time you personally saw someone in your workplace that you didn't recognize and weren't sure should have been there?"
When Leaders Last Saw a Stranger Inside
Single-select, n = 294
Survey question: "Please estimate to the best of your ability how many times unauthorized or unverified people have ended up in workspaces at your organization where they shouldn't be, in the last year."
How Often Strangers End Up Inside
Single-select, n = 294
Survey question: "In the past year, have you witnessed a visitor or contractor doing any of the following? Select all that apply." (Multi-select, percentages exceed 100%)
What Leaders Have Personally Seen
% of respondents witnessing each behavior, n = 294
So What

38.8% of leaders have personally seen a visitor or contractor reach a restricted area, and 28.2% have seen someone view or photograph work-in-progress. The exposure isn't hypothetical, and it isn't rare.

06 Change-Blindness

Change-Blindness: Sites Shifted, Programs Didn't

Sites changed shape over the past year. 49.3% of leaders saw hybrid work increase, 43.5% saw more external visitors per week, and 31.6% had days with more contractors and vendors than employees. Programs adapted unevenly.

Survey question: "Which of the following has changed at your physical sites in the past 12 months? Select all that apply." (Multi-select, percentages exceed 100%)
What Changed at Sites in the Past Year
% of respondents reporting each change, n = 294
Survey question: "For each of the following potential changes at your physical sites, has your physical security program adapted? Mark 'Not applicable' for any change that hasn't happened at your organization."
Did The Program Actually Adapt?
Full distribution shown; n = 271 (respondents whose sites experienced any change)
So What

Among sites that experienced change, only 26.2% updated their process for more unverified people in the building, and 35.1% adapted to higher contractor turnover. The shift is happening faster than the program is responding.

07 Where The Worry Concentrates

Ex-Contractor And Insider Access Risk

When we asked what leaders are concerned about, the top answers all point inward. 66.7% are concerned about insiders intentionally exposing information, 65.7% about insider mistakes, and 66.0% about contractors accessing spaces unsupervised. 56.5% remain concerned about terminated employees retaining physical access.

Survey question: "How concerned are you about each of the following physical security threats at your organization?"
Insiders And Contractors Lead The Concern List
Full distribution shown; n = 294
So What

Concern is high, but only 48.3% of organizations revoke terminated-employee access within 24 hours. 31.3% disagree that terminated contractors lose access in that window. The threat leaders rank highest is the threat their controls handle weakest.

08 Budget Perception

The Investment Imbalance Leaders Won't Admit

83.3% of leaders say their current physical-cyber budget balance is right. Only 11.9% admit they underinvest in physical. Yet the same leaders just told us 67.3% have personally seen a stranger inside in the past 6 months.

Survey question: "Roughly what percentage of your organization's total security budget currently goes to physical security versus cybersecurity in 2026? Best estimate is fine."
How Today's Budget Splits
Single-select, n = 294
Survey question: "How does that compare to 3 years ago?"
Compared to Three Years Ago
Single-select, n = 294
Survey question: "Do you think the current balance is right for your organization?"
Most Leaders Say The Balance Is Right
Single-select, n = 294
Survey question: "How well do you think each of the following groups understands the risk of physical security breaches as a vector for IP theft?"
Who Gets The Risk
Full distribution shown; n = 294
So What

78.2% say leadership treats physical IP risk as a recognized priority (very well + somewhat). Cyber posture is funded for the threats leaders fear. Physical posture is funded for the threats they used to fear.

What To Do About It

Close the awareness gap. The threat case is already made.

The threats leaders worry about most are the same threats their teams are witnessing in their buildings, so perception and reality are aligned. The blocker is prioritization. 58% of organizations are stuck at "considered but not implemented," and 13 to 16% didn't know basic capabilities like watchlist screening or geofenced access were an option. The awareness gap, not the threat itself, is the story. We protect the places the world relies on most. Let's start with yours.

Talk to Envoy

Methodology

We surveyed 294 Director-and-above leaders across AI labs, R&D-heavy companies, biotech, and defense tech in a guided interview format covering 18 structured questions. Percentages reflect unique respondents who selected each option. Multi-select questions can sum above 100% and are labeled accordingly; single-select breakdowns sum to 100% within rounding. Open-text responses (q10b, q11b, q16) inform framing but are not surfaced as quoted respondent evidence here, because speaker metadata was not captured. All numbers in this report trace to the structured survey data.

294
Director-and-above respondents
18
Guided survey questions analyzed
4,386
Structured responses counted
June 2026
Fieldwork period

Note on cross-tab: the source data summary did not include screener-Q4 segment splits as separate prevalences, so charts in this report show the aggregate across all 294 respondents. Segment-level cross-tabs require segment-tagged response data, which was not present in the data summary used for this analysis.

Headline Map  //  AI Physical Security Threat Study

How the headlines map to the data

The seven headlines the research plan worked backward from, measured against the verified N=294 results (Director-and-above leaders at AI labs, R&D-heavy companies, biotech, and defense tech), plus the structural findings the data surfaced on top. Color marks whether the data holds the headline up, supports it once reframed, or points the other way. Every figure traces to the structured survey data.

8 Holds
3 Reframed
0 Contradicted
11 Headlines mapped

The research plan named seven desired headlines: the shocker, the awareness gap, witnessed incidents, ex-contractor access, change-blindness, what's at stake, and building-yesterday accountability. Six hold or reframe cleanly. One (building-yesterday) tilts the other way and needs the honest version. On top of the seven, the data handed us four structural findings, the foundations-versus-continuity split, the confidence-coverage gap, the prioritization barrier, and the budget contradiction, that are strong enough to carry sections of the report.

HOLDS — The data confirms the headline as written.
REFRAMED — The data supports the finding once the framing is adjusted.
CONTRADICTED — The data points the other way.
Planned headlines — the seven from the research plan
H1 · SHOCKER (LEAD) Sophisticated cyber posture, 1990s-era physical posture HOLDS
Headline intended

"Only X% of AI lab leaders have all five basics of high-security visitor management in place." Or: "Y% of organizations doing sensitive AI work still use paper visitor logs."

Data says (N=294) 8.2% have all five high-security basics in place (badge, ID verification, government-ID capture, watchlist screening, and escort). 19.0% still sign visitors in on a paper logbook (Q2).
Disposition

The maturity-gap reveal lands hard. The "all five basics" cut is the cleanest shocker: fewer than 1 in 10 have the full high-security stack, despite protecting frontier IP. The paper-logbook stat (19%) is the backup. Lead with the basics number.

§02 Part A
H2 · AWARENESS GAP (THE GOLD) Leaders who didn't know the option existed HOLDS
Headline intended

"X% of AI and R&D leaders didn't know watchlist screening for visitors was an option." Positions Envoy as the educator, not just a vendor.

Data says (N=294) 12.6–15.6% didn't know each capability was an option, across all seven advanced controls (Q4). For denied-party / watchlist cross-referencing specifically, 15% didn't know it was an option. 9.2% cite "didn't know it was an option" as a reason gaps stay open (Q2-a).
Disposition

This is the gold, as the plan predicted. The "didn't know watchlist screening was an option" framing is directly supported (15% on the denied-party item). The narrow, consistent band across all seven controls makes it durable. Stands as written.

§04 Part C
H3 · WITNESSED INCIDENTS Leaders have personally seen strangers inside HOLDS
Headline intended

"Y% of AI and R&D leaders have personally seen someone in their lab they didn't recognize in the past year." Time-bound, witnessed-by-the-leader stats are press gold.

Data says (N=294) 67.3% personally saw someone they didn't recognize and weren't sure should be there within the past 6 months (Q8); 77.9% report at least one unauthorized-access incident in the past year (Q7); 38.8% have personally seen a visitor or contractor reach a restricted area (Q9).
Disposition

The strongest stat in the study. The plan asked for "past year"; the data is even tighter, two-thirds within 6 months. This is the lead the report opens on. Stands, with the tighter window.

§05 Witnessed reality
H4 · EX-CONTRACTOR ACCESS The contractor with the still-valid badge HOLDS
Headline intended

"Z% of terminated employees retain physical access for more than 24 hours, and a third of leaders don't think that's a problem." The Envoy article's still-valid-badge story, framed for AI labs.

Data says (N=294) 56.5% are concerned about terminated employees retaining access, and 66.0% about contractors accessing spaces unsupervised (Q6), yet only 48.3% revoke terminated-employee access within 24 hours and only 35.4% govern contractors with the same system as employees (Q2).
Disposition

Holds on the concern-versus-control gap. Just under half close terminated access within 24 hours, so "more than half don't revoke within a day" is the defensible version. The "third don't think it's a problem" clause maps to the ~44% not highly concerned about terminated access. Frame to the revocation gap.

§07 Worry concentrates
H5 · CHANGE-BLINDNESS Sites shifted, programs didn't REFRAMED
Headline intended

"Contractor and vendor access surged at X% of AI labs in the past year. Only Y% updated their security program to match." The hybrid-work reframe per Shannon.

Data says 26.2% of those whose sites changed updated their process for more unverified people in the building (Q5-a, n=271). 49.3% saw hybrid work increase, 43.5% more external visitors per week, 31.6% more contractor-heavy days (Q5).
Disposition

Holds, but the "only Y% adapted" stat is among the subset whose sites actually changed (n=271), not all 294. Frame as: "Among AI labs whose sites changed, only 26% updated their process for more unverified people in the building." Reframe to the change-experienced base.

§06 Change-blindness
H6 · WHAT'S AT STAKE AI models top the list of IP leaders fear losing HOLDS
Headline intended

"AI models and training data top the list of IP that AI leaders fear losing, ahead of proprietary research and product roadmaps." A ranking story for AI-specific press.

Data says (N=294) 18% rank AI models and training data their #1 IP concern, ahead of client/customer data (17%), proprietary research (16%), and product roadmaps (11%) (Q1, top-choice share).
Disposition

Holds as written, AI models do top the list. The sharper, more honest framing is how close the field is: the top four cluster within seven points, so "no single asset can be ring-fenced" is the stronger story. Lead with the ranking, support with the crowded-field nuance.

§01 IP at stake
H7 · BUILDING-YESTERDAY Can't tell you who was in their building yesterday REFRAMED
Headline intended

"X% of AI lab leaders can't tell you who was in their building yesterday." Flagged as a strong social/share headline.

Data says (N=294) 44% cannot confidently say they could tell you exactly who was in their building yesterday (34% disagree, 10% neither agree nor disagree). A 56% majority agree they could, 43% strongly (Q3).
Disposition

The clean "X% can't tell you" framing overstates it: the majority say they could, so "can't" is a minority. The honest, still-strong version: "Nearly half of leaders at frontier-IP organizations can't confidently say who was in their building yesterday." Reframe to "can't confidently say," and pair with the confidence-coverage gap (H10), since the self-rating may itself be optimistic.

§03 Part B
Emergent headlines — what the data surfaced on top
H8 · PRIORITIZATION The blocker is prioritization, not cost HOLDS
Headline available

The biggest barrier to better physical security isn't budget. It's that leaders have considered the controls and never prioritized them.

Data says (N=293) 58.0% have considered the missing controls but haven't prioritized them (Q2-a), nearly 3x the share citing cost ("too expensive," 20.8%).
Disposition

The "so what" that ties the whole report together and reframes the conversation away from budget. Pairs with H2: the gap is part awareness, mostly prioritization. Strong enough to be the closing argument.

§04 Part C
H9 · FOUNDATIONS VS CONTINUITY Foundations are common, identity continuity is not HOLDS
Headline available

Programs are built on the basics; the connective layer that makes them auditable is missing.

Data says (N=294) 27.6% maintain a single visitor record across all sites, and 35.4% govern contractors with the same system as employees, against 51.7% with badge access on sensitive doors (Q2).
Disposition

The structural spine of the Envoy thesis: roughly half have a badge reader, only about a quarter have connected identity across sites. This is the product-shaped gap. Strong support.

§02 Part A
H10 · CONFIDENCE-COVERAGE Confidence outpaces coverage on every statement HOLDS
Headline available

Leaders rate their programs more highly than the underlying controls justify.

Data says (N=294) 58.2% agree their program would stop an unauthorized person (Q3), yet only 51.7% have badge access on sensitive doors and 47.3% escort visitors at all times (Q2). Net-agree sits above coverage on all five Part B statements.
Disposition

Consistent across all five statements (net-agree 52–59% vs lower Part A coverage). Programs are graded on intent, not on what's instrumented. This is also the caveat that makes H7's self-rating suspect. Stands.

§03 Part B
H11 · BUDGET CONTRADICTION The investment imbalance leaders won't admit REFRAMED
Headline available

AI labs underinvest in physical security relative to cyber, and most won't admit it.

Data says (N=294) 83.3% say their current physical-cyber balance is right; only 11.9% admit underinvesting in physical (Q13), even though 67.3% just told us they saw a stranger inside in the past 6 months. 78.2% say leadership treats physical IP risk as a recognized priority (Q10).
Disposition

Leaders don't confess underinvestment, so "won't admit it" is the honest framing: the imbalance shows up in the gap between stated comfort (83.3% say balance is right) and witnessed reality, not in self-reported regret. Reframe to the contradiction.

§08 Budget perception
ENVOY  //  AI PHYSICAL SECURITY THREAT  //  HEADLINE MAP N=294 DIRECTOR-AND-ABOVE  //  JUNE 2026  //  ALL FIGURES FROM SOURCE DATA
Data Appendix  //  Cross-tabbable

Every question, sliceable by segment

The full distribution for every closed-ended question, N=294 Director-and-above leaders at AI labs, R&D-heavy companies, biotech, and defense tech. Choose a cross-tab dimension below: Total shows each question as a chart; any segment view shows a cross-tab table with the percentage and count in every cell. Single-select columns sum to 100% of that segment's base; multi-select columns can exceed 100%. Segments with a base under 30 are directional, and cells under n=5 should be read with caution.

Cross-tab by
ENVOY  //  AI PHYSICAL SECURITY THREAT  //  DATA APPENDIX N=294  //  JUNE 2026  //  ALL FIGURES FROM SOURCE DATA
Verbatim library  //  Respondents in their own words

What 294 security leaders actually said

The unedited free-text responses behind the report, grouped by the three open-ended questions: the protocol leaders follow when an unrecognized person appears, what they have personally witnessed at their sites, and the single change they would make to better protect IP. Filter by question, seniority, or organization type, or search the full text. Attribution shows self-reported seniority and organization focus only; no respondent is individually identified.

Question
No verbatims match those filters.
ENVOY  //  AI PHYSICAL SECURITY THREAT  //  VERBATIM LIBRARY N=294  //  643 RESPONSES  //  JUNE 2026  //  UNEDITED RESPONDENT TEXT
0