Zero trust for physical security
How zero trust principles like continuous authentication, micro-segmented zones, and just-in-time access are reshaping physical access control.
The castle-and-moat model is failing
For decades, physical security operated on a simple assumption: once someone passes the front desk, they belong. A badge swipe at the lobby turnstile granted implicit trust across the entire building. Floor 3 server room? Accessible. Executive wing after hours? No additional challenge. This perimeter-first model mirrors the network security posture that zero trust architectures dismantled a decade ago — and it suffers from the same fundamental flaw.
The numbers tell the story. According to ASIS International’s 2025 survey, 67% of physical security breaches originate from valid credentials — tailgating behind authorized personnel, using cloned badges, or exploiting credentials that should have been revoked weeks ago. The perimeter was never breached because the attacker was already inside it.
Zero trust’s core axiom — never trust, always verify — applies to physical space with equal force. Every door event should be an independent authentication decision, evaluated against the current context: who is requesting access, to which zone, at what time, from which preceding location, and does their current risk score warrant it?
Micro-segmented zones: shrinking the blast radius
In network security, micro-segmentation limits lateral movement. A compromised workstation in accounting cannot reach the production database. Physical micro-segmentation applies the same principle to floorplans.
EntryBit models every physical space as a directed graph of access zones, each with independent policy enforcement. A single floor might contain eight distinct zones: open workspace, meeting rooms, network closet, kitchen, executive offices, visitor area, shipping dock, and data hall. Each transition between zones requires a discrete authorization decision.
The architecture works in three layers. The zone layer defines physical boundaries and their trust levels on a 1-5 scale. The policy layer maps role-zone-time tuples to allow/deny/challenge decisions. The enforcement layer handles the real-time credential verification at each door controller, completing the check in under 40ms so users never perceive a delay.
This granularity has measurable impact. Customers who deploy micro-segmented zones report a 74% reduction in unauthorized zone access within the first 90 days. More critically, mean time to detect a tailgating event drops from 14 hours to under 3 minutes when zone transition anomalies are correlated in real time.
Just-in-time door access
Permanent access rights are the physical security equivalent of standing SSH keys — convenient and dangerous. A maintenance technician who needs monthly access to the HVAC room carries a credential that works 24/7/365. An employee who changed teams six months ago still badges into their old department’s lab.
Just-in-time (JIT) access replaces standing permissions with ephemeral grants. In EntryBit, JIT works through three mechanisms. Scheduled grants are tied to calendar events: a contractor’s badge activates 15 minutes before their scheduled maintenance window and expires the moment the window closes. Request-based grants let employees request access to restricted zones through the mobile app, routed to the zone owner for approval, with a configurable TTL of 1 to 480 minutes. Escalation grants are triggered by incident response workflows: when a fire alarm activates, first responders receive temporary access to all egress-relevant zones automatically.
The implementation requires tight integration between the access control engine and external systems. EntryBit ingests calendar data from Google Workspace and Microsoft 365, HR status from BambooHR and Workday, and incident state from PagerDuty and ServiceNow. When a JIT grant expires, the revocation propagates to edge controllers within 800ms, even if the cloud connection drops, because controllers cache grant TTLs locally and enforce expiry independently.
Continuous authentication and risk scoring
A badge swipe proves identity at a single point in time. Zero trust demands more: continuous assessment throughout a session. In the physical world, a session is the interval between entering and exiting a zone.
EntryBit’s risk engine computes a per-person risk score updated every 60 seconds using five signal categories. Credential health checks whether the badge has been reported lost, whether MFA is enrolled, and whether the credential firmware is current. Behavioral baselines compare current access patterns against 90-day historical norms — a finance team member badging into the R&D lab at 2 AM deviates from baseline. Geospatial coherence validates that sequential badge events are physically plausible — a swipe in Building A at 10:00:00 followed by Building C at 10:00:45 three kilometers away is impossible. Companion signals cross-reference simultaneous nearby events to detect tailgating. Threat intelligence integrates external watchlist feeds for real-time screening.
When the risk score crosses a configurable threshold, the system triggers a step-up challenge: a push notification to the user’s enrolled device requiring biometric confirmation before the next door grants access. If the score exceeds the critical threshold, the credential is suspended and the SOC receives an alert with full event context.
Anomaly detection at the edge
Running anomaly detection in the cloud introduces latency and a dependency on network connectivity — both unacceptable for door-level decisions. EntryBit pushes lightweight detection models to the controller firmware itself.
Each controller runs a compact random forest model (under 2MB) trained on that specific door’s traffic patterns. The model evaluates three features per event: time-of-day deviation, inter-event interval, and credential frequency. Inference completes in 1.2ms on the controller’s ARM Cortex-M7 processor, adding negligible overhead to the 35ms access decision pipeline.
Edge models are retrained weekly using federated learning. Controllers upload anonymized feature distributions to the cloud, where a global model is updated and redistributed. No raw event data leaves the controller during training, preserving privacy while improving detection accuracy. In production, edge anomaly detection catches 91% of tailgating attempts and 84% of credential-sharing incidents before a cloud-side correlation engine even receives the event.
Conclusion
Zero trust in physical security is not a marketing label — it is a concrete architectural shift. It means replacing implicit trust zones with continuous per-door authentication. It means shrinking blast radius through micro-segmentation. It means eliminating standing access in favor of just-in-time grants. And it means pushing intelligence to the edge so that every controller is an autonomous policy enforcement point, not a dumb relay waiting for a cloud verdict.
The organizations deploying these patterns today are not doing so for theoretical reasons. They are responding to a threat landscape where valid credentials are the primary attack vector, where compliance frameworks increasingly mandate continuous verification, and where the cost of a physical breach — measured in regulatory fines, IP theft, and operational disruption — demands a defense model built on verification rather than trust.
