Modernizing Access Control: From Paper Logs to In‑Out Visibility

Walk into most enterprise facilities and the same pattern appears: employees badge through readers with multifactor credentials, while the contractor behind them signs a paper sheet at reception and receives a handwritten badge that never expires. The people an organization knows best are tightly controlled. The people it knows least move through on the weakest process in the building.

Access control modernization, the process of replacing paper-based visitor and temporary credential workflows with integrated digital systems, addresses the gap that employee-facing security investments leave open. Two ASIS International reports quantify where that gap shows up and what closing it produces.

The Essentials of Access Control: Insights, Benchmarks, and Best Practices report, based on a survey of more than 1,000 security professionals, surfaces two findings that stand out:

• Organizations using higher-security credentialing technology report substantially greater system confidence: 70% of those with high-security technology agree their access control system is highly effective, compared to 54% of those relying on lower-security methods.
• Only 17% of respondents perform any structured red teaming or self-testing of their access controls. Among those that do, 82% report confidence in system effectiveness, compared to 61% of all security professionals surveyed.

A second ASIS report, Security Practices in Visitor and Emergency Management, adds the emergency readiness dimension: 54% of facilities lack clear visibility into visitor and contractor locations during emergencies, and 38% cannot communicate with visitors in real time. Both gaps are addressable when visitor identity and contact details live in the same system used for incident notifications.

The Compliance & Security Cost of Paper Visitor Logs

A paper sign-in sheet looks operationally simple. The costs it carries are less visible.

Handwriting is often illegible; when something goes wrong, a smudged name and an approximate time are not the audit trail that security, HR, or legal needs.

Logs can also be edited, lost, or photographed without detection. The privacy exposure is structural: each new visitor signs in full view of every prior entry on the page. Under GDPR and state-level privacy regulations including Illinois's Biometric Information Privacy Act (BIPA), that incidental disclosure carries compliance risk that grows with visitor volume and is difficult to remediate after the fact.

How Integrated Visitor Management Strengthens Access Control

The most direct way to close the lobby gap is to replace paper sign-in with a digital visitor management system integrated into the existing access control infrastructure, not running alongside it as a separate tool. A standalone VMS that doesn't connect to the ACS still leaves credential behavior uncontrolled at the door level.

Integration changes three things.

1. Identity assurance before credentialing.
   A modern VMS captures government ID, photo, NDA signature, and safety acknowledgments before any badge prints. Connected to the ACS, it issues a time-limited credential or QR code that expires automatically at the end of the visit.

2. Zone-limited, time-boxed access.
   Visitors receive the same granular access design as employees rather than being escorted manually or allowed to roam. A contractor arrives to service specific equipment and receives a credential that opens only the relevant zones, during a defined window, on one day. At the end of that window, the credential expires without manual intervention.

3. Searchable, auditable records.
   Every door event tied to a temporary credential becomes a retrievable record during an audit or incident investigation, not a note in a binder that may or may not be legible.

Tool Recommendation

The gap between how an ACS manages employee credentials and how it handles visitor credentials is where SecurityOS, the FacilityOS PIAM module, applies. Connected to VisitorOS, FacilityOS's visitor management module, it automates credential provisioning and zone-specific access rules based on visitor identity and purpose of visit. In regulated environments, that combination addresses the audit trail and compliance requirements that paper-based processes cannot meet at scale.

One global pharmaceutical organization deploying VisitorOS across seven sites went from processing fewer than 10 visitors per day to more than 200 visitors and contractors daily, with ISO 27001 audit trail requirements met automatically across all locations. The case study is available here.

Access Control Policies, Staff Training, and Red Teaming

Technology closes the capability gap. Policy and training determine whether the capability is used consistently.

The ASIS Essentials of Access Control research is direct on this: organizations that reinforce access policies with staff regularly see 70% of their security professionals express confidence in system effectiveness, compared to 61% across the full survey population. The 9-percentage-point gap is consistent enough across the dataset that it represents a reliable lever, not an outlier.

Three practices produce most of that lift:

1. Match Credential Policy to Persona

Permanent employees, contractors, vendors, and one-time visitors have different access requirements and risk profiles. Visible badge differences, whether color coding, orientation, or role labeling, allow staff and guards to identify credential type at a glance. Escort requirements for labs, production lines, and life-safety environments are most effective when explicit in policy rather than left to individual judgment. Contractor-specific compliance workflows covering training verification, background check status, and permit-to-work conditions represent a distinct enough category to manage separately.

2. Extend Access Training Beyond the Security Team

Access expectations integrated into onboarding for both employees and contractors produce different behavior than a one-time briefing. Periodic reinforcement around tailgating, challenging unbadged individuals, and reporting lost cards builds habits that hold under operational pressure. Real incidents from the organization's own sites carry more weight in that training than hypothetical scenarios.

3. Test Controls with Realistic Scenarios

A cross-functional internal team drawing from security, operations, HR, legal, and IT/OT can run credible probes without the cost of an annual external engagement. Can someone follow a contractor through a loading dock without a badge? Does anyone notice the wrong badge color in a restricted zone? What happens when a temporary badge is not returned at end of day? The ASIS red teaming data is among the most striking in the research: organizations that test their controls regularly are 21 percentage points more likely to report confidence in system effectiveness than those that don't.

Real-Time In-Out Tracking and Emergency Response Readiness

The two gaps documented in the ASIS Security Practices in Visitor and Emergency Management report, visibility into who is on site and real-time communication with visitors during incidents, share a common cause: visitor and contractor data living outside the systems that emergency response depends on. When those systems converge, both gaps close:

• A real-time roster of everyone badged into a building or zone is available the moment an alarm sounds.
• Employees, contractors, and visitors are distinguishable for targeted roll calls rather than being counted together or excluded from the count.
• Safety officers at muster points work from a tablet against a live record rather than a paper list.
• SMS and email alerts reach every person who checked in that day, using contact details captured at registration.

Case Study & Tool Recommendation

Ingersoll Rand's Ocala manufacturing plant demonstrates what this looks like in practice. After implementing VisitorOS and EmergencyOS, FacilityOS's emergency management module, together, the facility rebuilt both its visitor check-in process and its emergency notification capability. When a tornado warning was issued shortly after go-live, Jason Desler, EHS and Facilities Manager at Ingersoll Rand, was able to alert all staff and on-site visitors simultaneously within minutes. The Ocala facility now meets critical evacuation and roll-call benchmarks within seven minutes, and each event produces a clean record for insurers and regulators.

A Practical Roadmap for Access Control Modernization

Access control is converging with video analytics, mobile credentials, and biometrics. The fundamentals from the ASIS research remain stable: clarity, visibility, and continuous improvement. A practical multi-year path follows a consistent sequence.

1. Baseline the current state. The starting point is a current-state inventory of access technologies, visitor processes, and emergency procedures site by site, identifying where paper still dominates and where temporary credential risk is most concentrated.

2. Prioritize high-impact gaps. The most productive improvements tend to start where regulatory exposure, visitor volume, or operational criticality are highest: headquarters, large production facilities, multi-tenant campuses.

3. Digitize visitor workflows. Replacing sign-in sheets with a VMS integrated to the existing access control system typically delivers the fastest gains. Pre-registration and same-day badge issuance are the two capabilities with the most immediate operational impact.

4. Enable in-out tracking. The goal is a configuration where every person on site, staff and visitor alike, is visible in real time to both security and emergency response teams.

5. Codify policies and training. Written standards come first, then onboarding, refreshers, and contractor briefings are aligned to those standards so that policy and practice stay in sync.

6. Institutionalize testing. Periodic drills, red-team exercises, and tabletop scenarios reveal what holds under pressure and what needs refinement.

Organizations that follow this sequence tend to move from treating access control as a collection of devices to running it as a system. At any moment, that system should be able to answer three questions: who is here, where can they go, and how fast can the organization respond when something goes wrong.

The lobby is often where the answer breaks down. It is also, consistently, where the most accessible improvements are.

FAQ: Access Control Modernization & Visitor Management

What is access control modernization?

Access control modernization is the process of replacing manual or paper-based security workflows, particularly those covering visitor management and temporary credentials, with integrated digital systems. It typically involves connecting visitor management software directly to an existing access control system to enable identity verification, time-limited credentialing, zone-specific access, and auditable records.

Why does visitor management matter for access control effectiveness?

According to ASIS International research, organizations using higher-security credentialing technology are substantially more likely to report confidence in their overall access control system. Visitor management represents the segment of most access control programs with the weakest credential standards, making it one of the highest-leverage areas for improvement.

What is in-out tracking in physical security?

In-out tracking is the capability to maintain a real-time record of who is currently on site, including employees, contractors, and visitors, based on badge and credential events. ASIS International research on visitor and emergency management found that 54% of facilities lack this visibility for visitors and contractors during emergencies, which directly limits emergency response accuracy.

How does visitor management support regulatory compliance?

Digital visitor management systems create auditable records of who entered a facility, when, for what purpose, and which policies they acknowledged. This supports compliance with OSHA emergency action plan requirements (29 CFR 1910.38), NERC CIP physical access recordkeeping standards for utilities, and ISO 27001 audit trail requirements in regulated industries.

What does OSHA require for visitor evacuation accounting?

OSHA's emergency action plan standard (29 CFR 1910.38) requires employers to account for all employees after an evacuation. Regulators and insurers increasingly interpret this to include all people on site, including visitors and contractors. The NFPA 101 Life Safety Code reflects a similar position.