Reading time: 5 minutes
Physical access control systems (PACS) are becoming an authoritative source for occupancy data, workplace analytics, and real-time building orchestration. At the same time, a strategic contest is emerging between traditional security vendors and the new wave of workplace, IoT, and enterprise platforms, all competing to “own” the identity graph that increasingly determines how buildings operate, how space is monetized, how experiences are delivered and building systems interaction is organized.
In the context of connected buildings, the term “Identity Graph” is gaining increasing significance. It refers to a central, dynamic data model that links together all information about individuals, their identities, permissions, and interactions within a building or campus. The Identity Graph thus serves as the hub for all physical and digital identities: from employees and visitors to their authentication methods—such as badges, smartphones, or biometric features—as well as roles, access rights, and usage preferences. In addition, it integrates data from IT directories, HR systems, workplace bookings, and IoT interactions.
Its relevance is growing because modern buildings are increasingly identity-driven in their operation. Lighting, climate control, lifts, or room bookings can only be efficiently orchestrated if systems know in real time who is in the building, what permissions these individuals have, and which usage contexts apply.
This research note summarizes some of the in-depth findings from Memoori’s new report into the global access control market, The Physical Access Control Business 2025 to 2030.
From Security Tool to Identity Infrastructure
The data generated by access control events, badge swipes, mobile credential authentications, and visitor check-ins now powers applications far beyond security. Organizations are using access data to track space utilization, automate HVAC and lighting based on real occupancy, validate ESG reporting, and coordinate emergency response.
According to recent industry research, nearly half of organizations now use access control data to inform space utilization decisions, while around one-third have integrated their security platforms with business systems such as Human Resources.
In a hybrid work environment, this capability has become essential. With employees averaging around three days per week in the office and employers monitoring attendance patterns, access control has become an authoritative record of presence.
It can feed workplace booking platforms, inform cleaning schedules, support portfolio optimization, and provide the occupancy analytics that underpin decisions about which floors to activate and which to mothball.
This signals a profound shift: access control is no longer just about keeping people out; it’s about knowing who’s in, where they are, and what services the building should deliver in response.
The Consolidation Effect: Everything Connects to Access Control
As buildings become more software-defined and interconnected, PACS could emerge as the integration point around which other systems consolidate. Physical Identity and Access Management (PIAM) platforms sit above core access systems to orchestrate the full lifecycle of identity, from onboarding and role-based provisioning to access audits and deactivation across employees, contractors, and visitors. PIAM ensures that prerequisites like background checks, training certifications, and approvals are completed before access is granted, and automatically revokes access when conditions lapse.
- Visitor management systems now tie directly into access platforms, granting time-bound credentials and triggering downstream actions such as pre-conditioning of meeting rooms or opening turnstiles for registered guests.
- Elevator dispatch systems link access rights to floor permissions, enabling pre-authorized car assignments that speed movement and restrict access to secure zones.
- Parking systems coordinate gate permissions and EV charging access using the same identity record that controls building entry.
- Workplace experience apps are increasingly integrated with access control to grant temporary zone permissions, automate check-in flows, and personalize building services based on who is present.
When an employee badges into a floor, Building Management Systems (BMS) can automatically activate lighting, condition the space to comfort settings, and assign an elevator. When the last occupant exits, the system scales back to energy-saving modes. This level of automation, once aspirational, is increasingly expected in high-specification office projects and in multi-tenant commercial portfolios.
The shift is architectural. Rather than operating as isolated silos, these functions are converging around a shared identity layer, with access control providing the real-time presence signal that makes automation possible.
The Battle for the Identity Graph
This convergence has triggered a strategic contest over who controls the identity graph, the authoritative map of individuals, their permissions, their locations, and their relationships to spaces and services.
Traditional security vendors built their businesses on locks, readers, and controllers. But as access control becomes software-defined and cloud-managed, value is migrating toward platforms, Application Programming Interfaces (APIs), and ecosystems.
Vendors such as Genetec, Verkada, Honeywell, Johnson Controls, and ASSA ABLOY are opening their ecosystems to certified partners, offering APIs, SDKs, and developer marketplaces to encourage third-party innovation.
A significant number of new enterprise tenders now include API access as a mandatory requirement, reflecting the expectation that access control integrates seamlessly with HR platforms, identity governance tools, and digital workplace services.
But IT and workplace platforms are pushing back. ServiceNow, Microsoft, and other enterprise software providers are embedding physical access management into their identity and workplace suites, positioning PACS as a downstream system rather than the authoritative layer. PropTech startups and tenant experience platforms are doing the same, pulling identity, permissions, and occupancy data into their own applications and relegating traditional PACS vendors to infrastructure providers.
The outcome of this contest will shape the industry for the next decade. If security vendors succeed in maintaining control of the identity graph, they can capture recurring software revenue, ecosystem fees, and data monetization opportunities. If they lose ground to IT and workplace platforms, they risk commoditization, with access control reduced to interchangeable hardware feeding someone else’s software stack.
New Revenue Streams Built on Access Data
Historically, access control revenue came primarily from hardware sales and installation services. Today, vendors are building recurring revenue streams around cloud subscriptions, analytics platforms, and ecosystem services.
Access-as-a-Service (ACaaS) models are now widely adopted, with a large majority of integrators offering remote management and hosted platforms as standard options. These subscriptions bundle software updates, remote diagnostics, and cyber threat monitoring into predictable monthly fees. Advanced analytics such as occupancy heatmaps, behavioral anomaly detection, and compliance dashboards are increasingly sold as premium add-ons or separate modules.
Platform ecosystems are generating ecosystem revenue through app marketplaces, certified integrations, and developer partnerships. Some vendors charge licensing fees to third parties building on their APIs. Others monetize indirectly by increasing platform stickiness, retention, and upsell opportunities when customers adopt integrated workflows.
ESG reporting is emerging as a particularly high-value use case as more and more companies are forced to disclose information about their performance in three key areas: Environmental, Social, and Governance. Organizations need credible, auditable occupancy data to validate carbon footprint claims, optimize energy use, and comply with emerging sustainability regulations. Access control provides that data layer, and vendors are positioning ESG-ready dashboards and export tools as premium features tied to enterprise contracts.
Infrastructure or Intelligence?
The future of access control hinges on a fundamental question: will it remain infrastructure, reliable, standardized, and increasingly commoditized, or evolve into intelligence, capturing the value that flows from identity, presence, and orchestration?
For building owners, portfolio operators, and facility managers, the answer matters. Choosing a PACS platform today means choosing an identity architecture that will shape integration possibilities, data ownership, and software dependencies for years to come. The winners will be those who recognize that access control is no longer just about security; it’s about becoming part of the operational backbone of digitally connected buildings.
