Headline Map // State of Physical Compliance Study
How the headlines map to the data
The six headlines the research plan worked backward from, measured against the verified N=782 results (Director-and-above physical-security, compliance, IT-security, and facilities leaders at multi-site enterprises), plus the structural findings the data surfaced on top. Color marks whether the data holds the headline up, supports it once reframed, or points the other way. Every figure traces to the structured survey data.
6Holds
3Reframed
0Contradicted
9Headlines mapped
The research plan named six desired headlines: cross-site identity continuity, the audit confidence gap, fragmented systems, visitor and ex-contractor access gaps, audit time cost, and the investment/priority gap. Four hold as written; two (audit confidence and the priority gap) reframe cleanly once the framing follows the data rather than the original hypothesis. On top of the six, the data surfaced three structural findings (the acquiescence pattern in the self-report battery, complexity rather than budget as the real barrier, and coordination outpacing continuity) strong enough to carry sections of the report.
HOLDS — The data confirms the headline as written.
REFRAMED — The data supports the finding once the framing is adjusted.
CONTRADICTED — The data points the other way.
Planned headlines — the six from the research plan
H1 · CROSS-SITE IDENTITY CONTINUITY (LEAD)Contractors re-verified from scratch, site by siteHOLDS
Headline intended
"X% of contractors are re-verified from scratch at every site they visit." / "The average enterprise runs X disconnected visitor systems across its locations." The strongest story in the brief and Envoy’s published thesis.
Data says (N=782)31%of organizations give contractors a single persistent identity everywhere across their sites, so roughly 7 in 10 do not. 18% re-enroll contractors from scratch at every new site, and only 54% avoid repeating full government-ID verification at each location (Q4-a, Q4-a.1).
Disposition
The continuity gap is the cleanest lead in the study. Employees mostly get a single identity (66%), but that collapses for contractors (31%) and visitors. Pair the contractor stat with the multi-system count in H3 for the full “same company, different site, different identity” story.
§ Cross-site identity
H2 · AUDIT CONFIDENCE GAPConfident on audits, until you look underneathREFRAMED
Headline intended
"X% of security and compliance leaders aren’t confident they could pass a physical security compliance audit today without significant prep." Needs a confidence shortfall above 50% to be press-quotable.
Data says (N=782)62%are very confident they could pass a physical-security compliance audit today with no prep, and the shortfall is only 38%, below the 50%+ the plan wanted. But 69% had a real incident in the past year and 19% concede systems aren’t consistent across sites (Q6, Q13, Q19).
Disposition
The raw confidence-shortfall headline does not clear the bar (62% ARE very confident). Reframe to the confidence-vs-continuity gap: leaders feel audit-ready while the underlying identity and system continuity is missing. That tension is the report’s spine, and it is stronger than a sub-50% shortfall would have been.
§ Audit readiness
H3 · FRAGMENTED SYSTEMSA stack of disconnected systems per siteHOLDS
Headline intended
"The average enterprise uses X disparate systems to manage physical security compliance — and X% say their systems aren’t consistent across locations." A strong vector for Envoy’s configurable cloud-layer positioning.
Data says (N=782)75%run two or more separate visitor-management systems across their sites, and 47% run six or more. 49% pull compliance information from six or more systems; 25% from eleven or more (Q5, Q16).
Disposition
System sprawl holds cleanly and quantifies well. Lead with “75% run 2+ visitor systems” for the press line and “49% pull from 6+ systems” for the depth cut. Ties directly into the cross-site identity story: fragmentation is why continuity breaks.
§ Cross-site identity
H4 · VISITOR GAPS & EX-CONTRACTOR ACCESSStrangers on-site and access that outlives departureHOLDS
Headline intended
"X% of organizations have had an unauthorized person in a restricted area in the past year. X% have had a former employee or contractor retain physical access after departure." The article’s “contractor who built the facility months ago” angle.
Data says (N=782)33%had a former employee or contractor retain physical access after leaving in the past year, and 13% had an unauthorized person reach a restricted area. 29% had someone on-site who was never signed in (Q19).
Disposition
Both halves of the intended headline are supported. The ex-employee/contractor retained-access stat (33%) is the sharper, more quotable number and maps straight onto Envoy’s published “witnessed stranger” narrative. Unauthorized-in-restricted-area (13%) is the backup.
§ Incidents
H5 · AUDIT STRESS & TIME COSTHours lost pulling logs, worse under auditHOLDS
Headline intended
"It takes the average security/compliance team X minutes to pull access logs in a normal week — and X% longer during an active audit." Granular time bands let us publish averages, not just categories.
Data says (N=782)57%spend six or more hours a week on manual physical-security compliance work, and 20% spend eleven or more. 42% take more than 15 minutes just to pull access logs; 22% take over 30 (Q15, Q18).
Disposition
The time-burden story holds and the bands are granular enough to publish averages. Lead with the weekly manual-hours figure (57% at 6+ hrs) and use the log-pull latency as the “on-demand” proof point. Reinforces why single-pane continuity matters.
§ Time burden
H6 · INVESTMENT & PRIORITY GAP (OPTIONAL)Physical vs. cyber prioritizationREFRAMED
Headline intended
"X% of security leaders say physical security is under-prioritized at their organization relative to cyber, despite physical breaches being a real and rising risk." Reframed from raw spend to perception of investment.
Data says (N=782)10%say physical security is under-prioritized relative to cyber; most say the balance is about right. But 31% report cyber takes 75%+ of the security budget, even as 69% had a real physical incident this year (Q21, Q22).
Disposition
The raw “under-prioritized” headline is soft (only 10% agree), so it cannot lead as written. Reframe to the spend-skew contradiction: a third put 75%+ of budget into cyber while two-thirds took a physical incident. That mismatch, not a self-reported priority gap, is the publishable version.
§ Investment
Emergent headlines — structural findings the data surfaced
E1 · ACQUIESCENCE PATTERNEveryone agrees, including with contradictionsREFRAMED
Headline intended
Not a planned headline. Surfaced from the Q13 agree/disagree battery, where agreement runs high across every statement, including ones that contradict each other.
Data says (N=782)~84–91%agree with nearly every Q13 statement about their visitor and compliance program, including statements that cannot all be true at once. Only ~19% concede systems aren’t consistent across sites (Q13).
Disposition
Read as a caution flag, not a headline. High uniform agreement points to acquiescence bias in the self-report battery, which is exactly why the behavioral items (system counts, re-verification, incidents) carry the report rather than the attitudinal ones. Note it in methodology.
Methodology
E2 · THE REAL BARRIERComplexity, not budget, is the blockerHOLDS
Headline intended
Not a planned headline. Surfaced from Q24, where the top-ranked barrier to better physical-security compliance is the complexity of requirements, above budget.
Data says (N=782)23%rank “Complexity of compliance requirements” as their top barrier, ahead of budget. On the demand side, the most-wanted capability is real-time cross-site visibility (16%), with a single persistent identity record close behind (12%) (Q23, Q24).
Disposition
Strong enough to anchor the closing section. The barrier is complexity and fragmentation, not spend, which is precisely the problem a configurable cloud layer solves. Pairs naturally with the demand for real-time cross-site visibility.
§ Investment
E3 · COORDINATION VS. CONTINUITYTeams coordinate; identities still don’t travelHOLDS
Headline intended
Not a planned headline. Surfaced by contrasting how tightly physical and cyber teams say they coordinate against how little identity actually persists across sites.
Data says (N=782)82%say physical and cyber security coordinate closely or sit on the same team, yet only 31% give contractors a persistent identity across sites and 75% run multiple visitor systems (Q3, Q4-a, Q5).
Disposition
A clean second-order finding that reinforces the lead: organizational coordination is not the missing piece; system and identity continuity is. Useful as a bridge between the ownership section and the cross-site identity section.
§ Ownership
The State of Physical Compliance•N = 782 enterprise security & compliance leaders•Publishes July 21, 2026
62% of physical security leaders are sure they'd pass a compliance audit today. 69% had a security incident this year.
Physical compliance confidence is high and evenly held. Underneath it, identity does not follow contractors across sites, most enterprises run two or more visitor systems, and the gaps concentrate by who owns security and how many buildings they run. The State of Physical Compliance breaks the numbers down by team, accountability, industry, and site count to show where the confidence is earned and where it is not.
20%
of compliance and GRC leaders, the people who answer to auditors, report contractors get one identity across sites, against 35% among IT security leaders
52%
of organizations where the front desk is first held accountable had an ex-employee or contractor keep access, against 29% where physical security owns it
73%
of organizations in the 5-to-19-site band had a real incident this year, the highest of any size, above the largest enterprises at 65%
The Headline
The topline numbers are steady: 62% are very confident they could pass an audit today, 82% say physical and cyber teams coordinate closely. The variation that matters is underneath. Whether a returning contractor is recognized as the same person, whether access is revoked when someone leaves, and how many systems a team has to reconcile all move sharply with the operating model: which function owns security, who is blamed when it fails, what industry the organization is in, and how many sites it runs. This report isolates the cross-tabs where those differences are large enough, and consistent enough, to change how the finding should be read.
01Who owns security
Only 21% of compliance leaders say a contractor keeps one identity across sites, against 36% of IT.
Two questions set up every cross-tab that follows: the team a respondent sits on, and the team first held accountable when an incident occurs. They are related but not the same, and both move the results. Physical or corporate security sits at the center of the buyer story and makes up the largest share on each, but IT security and compliance each own a meaningful slice, and accountability sometimes lands on functions with no security tooling at all.
Survey question S3: "Which of the following best describes the team you sit on?" (Share of all respondents.)
Physical security owns it at 49% of organizations, IT at 26%, compliance at 23%
Survey question Q2: "When a physical security incident actually occurs, who is the first person held accountable?" (Share of all respondents.)
In 12% of organizations, the first person blamed is HR, facilities, or the front desk
Those splits matter, because the same question about contractors gets a different answer depending on which team you ask. Compliance and GRC leaders, the people who answer to auditors, are the least likely to say a contractor is recognized as one identity across every site: 21%, against 36% of IT security leaders and 32% of physical-security leaders. The difference does not show up as more contractors being re-enrolled from scratch, which is close across teams. It shows up as a hedge: 42% of compliance leaders say contractors are recognized at some sites but not others, the highest of any function. Closest to the audit, they are the least willing to call the identity picture complete.
Survey question: "When contractors return to a different site than the one they first visited, are they recognized as the same person?" (Full breakdown by the team the respondent sits on. Each bar sums to 100%.)
Only 21% of compliance leaders say contractors keep one identity across sites, against 36% of IT
So What
Accountability alone does not settle the risk either. Where the front desk is first held accountable for an incident, None% had an ex-employee or contractor keep access after leaving, and where HR is accountable, 45%. Where the physical-security team owns it, that drops to 29%. Putting a non-security function on the hook without giving it a system of record does not move the outcome the way owning the tooling does.
Survey question: "In the past year, has your organization experienced any of the following?" (Former employee or contractor retained access, by who is first held accountable for an incident)
Retained access hits 45% where HR is accountable, against 29% where physical security is
Share within each accountability group who had an ex-employee or contractor keep access after leaving. Study average 33%.
02System sprawl
62% of IT-owned programs run six or more visitor systems, against 38% of security-owned ones.
More sites should mean more systems, and it does, but weakly. The sharper split is by owner: IT-run programs carry the heaviest stack, with 62% running six or more visitor systems against 38% of physical-security-owned programs. IT tends to inherit every site's tooling; physical security tends to standardize on fewer.
Survey question: "How many visitor management systems does your organization operate across all of its sites?" (Share running six or more, by the team the respondent sits on)
62% of IT-owned programs run six or more visitor systems, against 38% of security-owned
Share within each team running six or more visitor systems. Study average 47%.
So What
Fragmentation is baked in almost as soon as an organization has more than one location. Running two or more visitor systems jumps from 75% at 2-to-4-site organizations and holds around 79% from there. The consolidation opportunity is not concentrated at the largest enterprises; it exists the moment a second site opens.
Survey question: "How many visitor management systems does your organization operate across all of its sites?" (Share running two or more, by number of sites)
Multi-system sprawl jumps to 75% at the second site and holds there
Share within each site-count band running two or more visitor systems. Study average 75%.
03Confidence vs. continuity
Audit confidence peaks at 71% for single-site orgs and drops to 59% the moment a second site opens.
Audit confidence does not rise with scale or complexity. It is highest at single-site organizations and dips at 59% for 2-to-4-site organizations, exactly where multi-site fragmentation first appears but consolidation has not caught up, before recovering at larger footprints.
Survey question: "How confident are you that your organization could pass a physical security compliance audit today, with no prep?" (Share very confident, by number of sites)
Audit confidence falls from 71% at single-site orgs to 59% at 2-to-4 sites
Share within each site-count band who are very confident. Study average 63%.
So What
The team that runs the most systems also finds the most gaps when the auditor arrives. IT-owned programs are the most likely to have surfaced a compliance gap in an audit at 30%, above physical security at 23% and compliance and GRC at 21%. More systems means more surface area for something to be out of date when it is checked.
Survey question: "In the past year, has your organization experienced any of the following?" (A compliance gap discovered during an audit or review, by the team the respondent sits on)
30% of IT-owned programs surfaced a compliance gap in an audit, the most of any team
Share within each team that surfaced a compliance gap during an audit. Study average 24%.
04Industry
Healthcare trails on contractor continuity at 22%, while Financial Services leads retained-access risk at 40%.
Industry moves the continuity and access numbers in ways that map to how each sector handles contractors and third parties. Healthcare reports the lowest contractor continuity at 22%, despite handling a heavy flow of vendors, locums, and visiting clinicians. Financial Services and Technology sit highest.
Survey question: "When contractors return to a different site than the one they first visited, are they recognized as the same person?" (Share reporting a single identity everywhere, by industry)
Healthcare trails at 22% contractor continuity, below every other sector
Share within each industry giving contractors one persistent identity across all sites. Study average 30%.
So What
The two sectors with the most contractor turnover also report the most retained access: Financial Services at 40% and Technology at 39%. Manufacturing, with a more stable on-site workforce, sits lower at 28%. The pattern is consistent: the more people move through a building, the more likely access outlives their departure.
Survey question: "In the past year, has your organization experienced any of the following?" (Former employee or contractor retained access, by industry)
Financial Services (40%) and Technology (39%) lead on retained-access risk
Share within each industry that had an ex-employee or contractor keep access after leaving. Study average 33%.
05The awkward middle
Mid-size estates carry the most risk: 73% of 5-to-19-site orgs had an incident, above the largest at 65%.
Incident exposure is not linear in size. The 5-to-19-site band, large enough to be complex but often too small to have consolidated, carries the highest rate of real incidents at 73%, above both smaller organizations and the largest enterprises. The biggest organizations have usually invested in consolidation; the middle has the complexity without the platform.
Survey question: "In the past year, has your organization experienced any of the following at any of its physical sites?" (Share reporting at least one real incident, by number of sites)
Incidents peak at 73% for 5-to-19-site orgs, above the largest estates at 65%
Share within each site-count band reporting at least one real incident. Study average 70%.
So What
Retained-access exposure follows the same shape: it peaks at 40% in the 5-to-19-site band and falls to 24% at the largest organizations. Scale eventually forces a fix. The middle is where access hygiene breaks down most, and where a single system of record would change the most.
Survey question: "In the past year, has your organization experienced any of the following?" (Former employee or contractor retained access, by number of sites)
Retained access peaks at 40% in the 5-to-19-site band and falls to 24% at the largest
Share within each site-count band that had an ex-employee or contractor keep access after leaving. Study average 33%.
What To Do About It
Make the confidence provable.
The gaps in this report are not about awareness or budget. They are about the operating model: identity that does not follow a person across sites, access that outlives departure, and a stack of systems that no single team can reconcile. The fix is one identity that follows a person across every site, one record that can answer who was in the building yesterday, and one system that turns hours of weekly reconciliation into a query. Envoy builds the system of record for the physical world. Let's start with yours.
We surveyed 782 enterprise leaders in physical security, compliance and GRC, IT security, and facilities, all at organizations with 1,000 or more employees operating multiple physical sites, in a structured format covering screening plus 26 questions across ownership, cross-site identity, audit readiness, visitor and contractor tracking, log and time burden, incidents, and investment. Every respondent is a decision maker for or significant influence on physical security tools, vendors, or compliance programs. This report is a cross-tab analysis: each chart shows the share of respondents within a group who gave a given answer, compared against the study average marked by the dashed line in each chart. Each bar is an independent group rate on a 0 to 100% scale, not a slice of a shared total, so bars within a chart are not expected to sum to 100%. Groups with fewer than 30 respondents are not plotted, so the smallest segments are omitted where the base is too thin to read. Charts show percentages, not counts. All figures trace to the source survey data.
A companion data appendix (every question, cross-tabbable by segment including industry and accountability), verbatim library (open-ended responses, filterable), and headline map (desired headlines against verified data) accompany this report.
Data Appendix // Cross-tabbable
Every question, sliceable by segment
The full distribution for every closed-ended question, N=782 enterprise security, compliance, IT, and facilities leaders at multi-site organizations with 1,000+ employees. Choose a cross-tab dimension below: Total shows each question as a chart; any segment view shows a cross-tab table with the percentage and count in every cell. Single-select columns sum to 100% of that segment's base; multi-select and ranking columns can exceed 100%. Segments with a base under 30 are directional, and cells under n=5 should be read with caution.
Cross-tab by
State of Physical Compliance
Verbatim Library · research deliverable
State of Physical Compliance Research · 2026
What security & compliance leaders actually said about multi-site audits.
An interactive library of every open-ended response from 782 qualified physical-security, compliance, IT-security, and facilities leaders responsible for security and compliance across their organization's sites. Browse by question, filter by team, seniority, company size, site count, audit confidence, and regulatory posture, then full-text search to surface themes and pressure-test your report coding. A red incident badge marks respondents who reported a real physical-security incident in the past 12 months.