Zero Trust Series, Part 3 of 6 by Senior Product Manager, Hosted Solutions, Matt Macintosh
How Symmetry CONNECT PIAM prepares your organization for the reality that your perimeter may already be compromised with the visibility, audit trails, and detection capabilities to know it when it happens.
There is a question every physical security manager must be willing to ask, even if the answer is uncomfortable: what if someone is already inside who should not be there?
It is not hypothetical. Physical security breaches rarely look like a movie break-in. They look like a badge swipe from an employee whose termination was processed too slowly. A contractor who retained access after their engagement ended. An employee who tailgated through a secure door behind a colleague. An insider who, over months, quietly accessed areas their role has no legitimate reason to require.
The third Zero Trust principle, Assume Breach, confronts this reality directly. Rather than designing a security strategy around an intact perimeter, it demands you design as if the perimeter has already failed. The critical questions become: how quickly will we detect it? How much damage can be done before we do? And how much can we contain once we know?
“Assuming Breach does not mean accepting failure. It means designing your security posture to detect, contain, and respond to failure faster than the threat can exploit it”
Why Perimeter Thinking Falls Short
Traditional physical security was built on a perimeter model: secure the fence, the lobby, the badge reader—and trust anyone who gets through. That assumption has always been imperfect, but it has become genuinely untenable in a world of hybrid workforces, complex contractor ecosystems, and highly mobile personnel. Today’s facilities routinely contain employees, contractors, sub-contractors, vendors, and visitors at various stages of authorization. Some have legitimate access to sensitive areas. Some do not. Some did last week but do not this week.
Insider threats, whether malicious, accidental, or the result of a compromised credential, represent a persistent and significant proportion of serious physical security incidents. The perimeter alone cannot distinguish between a trusted employee and someone holding a credential they should no longer have once both are inside the building.
Assume Breach builds a security architecture that functions not just at the perimeter, but throughout the interior: monitoring activity, detecting anomalies, creating audit evidence, and enabling rapid response wherever a threat emerges.
What Physical Breach Indicators Look Like
Unlike cyber breaches, which generate clear technical artifacts, physical breaches are often subtle and slow-moving. Key indicators include:
- Access to areas outside normal role scope: an employee entering a server room, executive area, or stockroom their role has no reason to require.
- Access during anomalous time windows: a badge swipe at 2:00 a.m. from someone whose normal schedule is 8:00 to 5:00.
- Rapid multi-area access patterns: a sequence of swipes across multiple secure areas in a short window, suggesting reconnaissance or systematic access.
- Repeated failed access attempts to areas for which a person is not authorized.
- Access by recently flagged identities: someone placed on administrative leave, under a disciplinary action, or flagged by HR.
- Credential use after employment ends: a badge swipe from a former employee or expired contractor whose credential was never deactivated.
These patterns are only visible if the access control system captures comprehensive data, correlates it against identity and HR context, and surfaces anomalies to the security team. Without that capability, a breach can remain undetected for weeks or months.
How Symmetry CONNECT Operationalizes Assume Breach
Symmetry CONNECT logs every access event, every badge swipe, every denied attempt, every credential change, with full identity context. Events are recorded not just as a badge number and a door, but as a named individual with their role, organizational unit, time, location, and outcome. This enables both real-time forensic reconstruction of exactly what happened, when, and under what circumstances.
This integration matters beyond the physical security domain. Many advanced threats combine physical and cyber indicators. An attacker who gains physical access to a server room may simultaneously generate unusual network traffic. An insider threat may show anomalous behavior patterns in both physical and digital access logs. By feeding physical access data into the unified security operations picture, Symmetry CONNECT enables correlation that would be invisible if the two disciplines were siloed.
Symmetry CONNECT also supports rigorous separation of duties in access administration. The ability to provision access rights, approve requests, and modify system configuration is distributed across multiple roles with oversight of each other. All administrative actions are logged and auditable, preventing a malicious insider from quietly granting themselves, or an accomplice, access to secured areas without any review or alert.
“The most dangerous assumption in physical security is that an absence of alerts means an absence of threat. Assume Breach demands that you actively look for evidence of compromise.”
Why This Matters for Physical Security Managers
Assume Breach reframes how security managers measure success. Rather than asking, is the perimeter holding?’ the question becomes ‘how quickly will we detect a failure, and how well can we contain it?’ This shift has practical consequences for the capabilities you invest in audit trails become critical infrastructure rather than compliance overhead, anomaly detection becomes a core operational function rather than a nice-to-have, and integration with cyber security operations becomes a strategic priority rather than a long-term ambition.
It also changes how you communicate risk to leadership. Rather than defending the perimeter’s integrity, you can present evidence of detection capability: how many anomalies were surfaced last quarter, how quickly they were investigated, and what access risks were proactively identified and remediated. This is a more credible and defensible security posture than simply asserting the perimeter is intact.
Symmetry CONNECT provides the data foundation and operational tools to make that shift real turning the access control system from a gatekeeper into a security intelligence platform that is continuously watching and ready to surface the anomalies that signal something has gone wrong.
Conclusion: Prepare for What You Hope Will Not Happen
Assume Breach is the most demanding Zero Trust principle because it requires confronting the possibility that current defenses may not stop every intrusion. But it is also the most realistic, it acknowledges the complexity of the modern facility environment and builds a posture resilient enough to detect and contain what prevention misses.
Symmetry CONNECT by AMAG Technology provides comprehensive audit trails, and separation of duties governance to make Assume Breach operational in physical security, every day, across every facility.
Next in this series: Verify Continuously: how PIAM ensures that access authorization is an ongoing process, not a one-time provisioning decision.
To learn more about Symmetry CONNECT or request a demo, visit amag.com/symmetry-connect or contact your regional AMAG representative.
