Zero Trust Series, Part 1 of 6 by Senior Product Manager, Hosted Solutions, Matt Macintosh
How Symmetry CONNECT PIAM ensures that every access decision is grounded in current identity data, contextual signals, and explicit authorization, not just a valid credential.
For decades, physical security has operated on a principle of implicit trust: if someone has a badge, and the badge opens a door, they are in. That model made sense when workforces were stable and threats came mainly from outside the building. Neither condition holds today.
Today’s facilities host a mix of employees, contractors, temporary staff, and visitors each at different levels of authorization, some of which may have lapsed without anyone noticing. The rise in insider threats means the person who just swiped their badge may have had their employment terminated yesterday or may hold access rights that no longer match their current role.
The answer is not more cameras or more guards. It is a fundamentally different philosophy about how access decisions are made. That philosophy is Zero Trust, and its first principle is Verify Explicitly.
“Verify Explicitly means never assuming a credential is sufficient. Every access request must be authenticated and authorized against all available data before a decision is made.”
What Verify Explicitly Means
In cybersecurity, Verify Explicitly means that every access request must be authenticated against all available data points: device, location, time of day, behavioral patterns, and the sensitivity of the resource being accessed. No single factor is enough. Trust must be earned continuously, not assumed at login and then forgotten.
For physical security managers, the translation is direct: a badge swipe tells you someone possesses a credential. It does not tell you whether that credential is still authorized, whether the person’s role still requires access to that space, or whether contextual factors, time, location, visitor status should influence the decision. Verify Explicitly demands you use all that information every time a door is approached.
The Problem with Implicit Trust in Physical Access
Traditional access control systems were designed around a binary model: the credential is either valid, or it is not. This model has critical weaknesses that physical security managers face every day:
- Orphaned credentials: When an employee leaves, their badge is only revoked if someone manually removes it. Delays in this process common without automated identity management leave active credentials in the hands of former employees.
- Role drift: Over time, employees change roles, but their access rights may not change with them, accumulating permissions that no longer reflect their current function.
- Context blindness: A traditional system does not know that a door is being swiped at 2:00 a.m. by someone who normally works 9 to 5, or that the same badge has attempted access to six high-security areas in the last ten minutes.
- Third-party blind spots: Contractors are often granted access through manual, paper-based processes that are difficult to audit and even harder to revoke on time.
Each of these is a failure of implicit trust. The system assumed that a credential, once issued, remains valid, contextually appropriate, and in the hands of the right person. Zero Trust rejects every one of those assumptions.
How Symmetry CONNECT Applies Verify Explicitly
Symmetry CONNECT by AMAG Technology is purpose-built to bring explicit verification to physical access control. Rather than treating a badge swipe as the final word on access, it treats it as the beginning of a richer identity conversation.
At the heart of the platform is deep integration with authoritative identity systems: HR Information Systems (HRIS), Active Directory, and enterprise Identity Providers. Before granting access, the system validates not just the credential but the identity behind it: Is this person still employed? Is their role unchanged? Are there flags on their account: a leave of absence, a pending termination, a security hold that should affect their access? When an employee’s status changes in the HR system, that change flows automatically into Symmetry CONNECT. The badge may still physically exist, but its permissions are dynamically tied to the person’s current organizational standing.
For high-security areas, Symmetry CONNECT supports multi-factor authentication at the point of entry—badge plus PIN, badge plus biometric, or both. Even if someone obtains a valid badge, they cannot access a secure area without additional factors. MFA configurations can be layered by zone sensitivity, so server rooms, pharmaceutical vaults, and executive floors apply stricter verification than general office areas mirroring how security teams apply MFA to sensitive data systems in the digital world.
Symmetry CONNECT in combination with Symmetry Access Control also adds contextual intelligence to every access decision. Access Groups can incorporate time-of-day restrictions, anti-pass back logic that detects impossible movement patterns, visitor and escort requirements for sensitive areas, and role-based access profiles that automatically update when organizational data changes. Access is not just a binary check it is a policy-driven evaluation of whether this person, in this context, at this time, should open this specific door.
Finally, Symmetry CONNECT drives formal access review and certification campaigns, prompting managers to periodically validate that the access rights of their direct reports remain appropriate. This surfaces orphaned permissions and role drift through a structured, auditable process ensuring that Verify Explicitly is not a one-time event at provisioning, but an ongoing discipline embedded in how the organization governs access.
Scenario: The Contractor Who Stayed Too Long
A contractor is engaged for a six-week HVAC retrofit and issued a badge granting access to the mechanical rooms. The project runs over schedule to ten weeks. The original access request specified a six-week window, but no one has updated it.
Under a traditional system, the contractor continues to have access indefinitely unless someone manually reviews it. In a large facility with dozens of active contractors, that review rarely happens proactively.
Under Symmetry CONNECT, the access was provisioned with a defined expiration date. As it approaches, the system automatically notifies the contractor’s sponsor and the facilities security manager. If the project extension is approved through the documented workflow, access is renewed. If not, it expires automatically no manual intervention needed, no risk of it being forgotten. This is Verify Explicitly in action: not just checking the badge, but validating the identity, the authorization, and the context at every decision point.
“A badge is not an identity. It is a representation of an identity at a point in time. Symmetry CONNECT ensures that representation stays current.”
Why This Matters for Physical Security Managers
Implementing Verify Explicitly through a PIAM platform shifts your security posture from reactive to proactive. Instead of investigating a breach and discovering a former employee’s badge was still active, automated safeguards prevent that situation from arising. Your team’s time shifts away from manually processing access events and toward higher-value security activities.
From a compliance standpoint, the ability to demonstrate that every access decision is validated against current, authoritative identity data is increasingly expected across regulated industries from pharmaceutical manufacturing and healthcare to finance and government facilities. The audit trail that Symmetry CONNECT generates as a byproduct of normal operations is the evidence those audits require.
And from a risk standpoint, every access decision that is grounded in current data rather than historical assumptions is a decision that is harder to exploit. Verify Explicitly does not just improve security, it makes the overall posture measurably, demonstrably stronger.
Conclusion: Trust Nothing, Verify Everything
Verify Explicitly demands that we stop treating a badge swipe as a sufficient answer to ‘should this person be here?’ and start treating it as one data point in a dynamic, data-driven identity conversation. Symmetry CONNECT by AMAG Technology makes that conversation practical at scale integrating with authoritative systems, enforcing contextual MFA, and driving continuous access certification.
In the next post in this series, we examine the second Zero Trust principle: Use Least Privilege and how PIAM ensures people only have access to the spaces they truly need, reducing your physical attack surface from the inside out.
To learn more about Symmetry CONNECT or request a demo, visit amag.com/symmetry-connect or contact your regional AMAG representative.
