The growing involvement of IT teams in physical security is often framed as a corrective move.
The growing involvement of IT teams in physical security is often framed as a corrective move. Bring cameras, access control and intrusion systems under IT governance, the thinking goes, and long-standing vulnerabilities will finally be addressed.
According to Greyhound Research, that assumption is only partially true.
Convergence does close some gaps. But it also introduces new ones. The real question is no longer whether IT ownership improves physical security, but whether organisations understand the new risks they are taking on when they make that shift.
“Let’s be clear,” said Sanchit Vir Gogia, Chief Analyst at Greyhound Research. “When physical security lives outside IT, it becomes a blind spot. Devices go unpatched. Access logs go unread. Credentials stay active long after employees leave.”
Bringing those systems under IT governance fixes many of those problems. But it also means physical security inherits the complexity, fragility and interdependence of modern IT environments.
“You don’t eliminate risk,” Gogia said. “You move it.”
When convergence creates new failure modes
Greyhound’s research highlights a pattern that is becoming increasingly common: physical security systems failing not because of hardware faults or poor installation, but because of routine IT changes made without an understanding of physical impact.
Badge systems have gone offline during network reconfiguration because no one included them in routing tables. Cloud-managed video platforms have become inaccessible during single sign-on updates, leaving operators without visibility during live incidents. Access control systems have been misconfigured because IT teams assumed they behaved like firewalls or VPNs.
“These aren’t exotic failures,” Gogia said. “They’re normal IT operations colliding with systems that have real-world consequences.”
The issue, according to Greyhound, is not convergence itself. It is the assumption that bringing physical security under IT control automatically delivers control without requiring new forms of responsibility.
“IT has to learn the language of physical response,” Gogia said. “And physical teams have to trust IT processes. Without that, you get brittle systems that look great on a diagram but fall apart in an actual incident.”
Ownership without coordination is not resilience
Greyhound argues that IT ownership improves outcomes only when paired with architectural resilience and human coordination. Without those elements, organisations risk replacing visible, well-understood weaknesses with hidden systemic fragility.
In traditional physical security environments, systems were often crude but predictable. In converged environments, they are more capable but also more dependent on upstream services, identity systems and network availability.
That dependency chain matters during incidents.
“If a camera goes offline because of a network change, that’s not a cyber problem or a physical problem,” Gogia said. “It’s an organisational problem.”
Greyhound’s position is that convergence must be treated as a socio-technical shift, not just a technology upgrade. Governance models, escalation paths and shared ownership structures become as important as platform features.
The integrator reckoning
Nowhere is this shift felt more acutely than among system integrators.
According to Greyhound Research, integrators face a binary choice: evolve or disappear.
“The market isn’t asking for cable pullers anymore,” Gogia said. “It’s asking for trusted partners who understand threat modelling, identity federation and patch windows.”
Greyhound has observed enterprises terminating long-standing integrator relationships mid-project when those partners failed to meet IT security expectations. In some cases, integrators could not produce adequate documentation. In others, they resisted participating in vulnerability disclosure programs or regular security assessments.
“That’s not a niche requirement anymore,” Gogia said. “That’s table stakes.”
As IT takes greater ownership, integrators are increasingly evaluated through the same lens as managed service providers, cloud VARs and IT consultancies. Technical competence alone is no longer sufficient. Integrators must demonstrate governance maturity.
From install-and-walk to lifecycle ownership
Greyhound’s analysis suggests that the traditional “install-and-walk” integrator model is becoming commercially unsustainable in IT-led environments.
The integrators gaining ground today are those offering managed services, participating in governance discussions and remaining engaged for the full lifecycle of the platform. They show up during audits. They help close compliance gaps. They speak the language of procurement and risk, not just bill of materials.
“That’s where the margin is now,” Gogia said. “That’s where the long-term value lives.”
This evolution also reshapes how integrators are positioned within client organisations. Rather than being engaged late in the project to execute predefined designs, successful integrators are involved earlier, contributing to architectural decisions and operational planning.
Those that fail to adapt face growing competition from IT-focused players.
“If integrators don’t step up,” Gogia said, “they lose deals to MSPs, cloud VARs or internal IT teams.”
Is physical security really becoming an IT platform?
From a language perspective, the answer appears to be yes. Enterprises increasingly talk about surveillance platforms, unified dashboards and data integration. Requests for proposals reference APIs, SIEM ingestion and zero-trust alignment.
But Greyhound cautions against assuming platform maturity based on terminology alone.
“In theory, physical security is being treated as an IT platform,” Gogia said. “In practice, not yet.”
The reality on the ground remains uneven. Some organisations are deploying cloud-native access control systems that integrate directly with IAM stacks. Others continue to operate decade-old DVRs with no patch history and administrative accounts no one remembers creating.
“The intent is there,” Gogia said. “The tooling is emerging. But the execution is messy.”
Platform maturity is more than a web interface
Greyhound defines platform maturity not by user experience, but by governance and lifecycle characteristics.
A true platform, according to the firm, includes standardised APIs, secure update pipelines, policy inheritance, auditability and lifecycle management. Many physical security systems fall short on several of these dimensions.
“In many cases, what organisations have are modernised silos,” Gogia said. “They look like platforms, but they don’t behave like them.”
Fragmented ownership, constrained budgets and inconsistent vendor discipline all contribute to this gap. As a result, organisations may believe they have platform-level resilience when they do not.
Regulatory pressure is accelerating the shift
Despite these challenges, Greyhound sees momentum building. One of the strongest indicators is the changing nature of RFPs.
Requirements that were once optional or rare are now becoming standard. Integration with enterprise architecture frameworks, SIEM ingestion, and alignment with zero-trust principles are increasingly expected.
“That tells us the expectation has shifted,” Gogia said. “Now the industry has to catch up.”
Regulators are also playing a role. As physical security systems become subject to cyber audits and data protection scrutiny, boards are demanding end-to-end visibility into risk. That pressure reinforces the platform mindset, even when execution lags.
Moving risk is not the same as reducing it
Greyhound’s overarching message is a cautionary one. Convergence is necessary, but it is not inherently stabilising. Without deliberate design and cross-functional coordination, IT ownership can introduce new forms of systemic risk.
“Ownership improves outcomes,” Gogia said. “But only when it’s paired with architectural resilience and human coordination.”
For enterprises, that means resisting the temptation to treat physical security as just another IT asset. For integrators, it means redefining their role in a market that increasingly values governance over hardware.
And for the industry as a whole, it means recognising that the shift toward IT-led physical security is not the end of the risk conversation. It is the beginning of a more complex one.