A security leader's guide to building visitor management that actually protects your facilities

Most organizations think they've solved visitor management. Digital sign-in, real-time dashboard, a better experience at reception. Job done.

But convenience and security are not the same thing. When an incident happens, or an auditor arrives, that distinction becomes very clear, very fast.

Tim Reed has spent nearly 30 years securing facilities at Apple, Uber, and now Aurora Innovation's autonomous trucking ecosystem. He's seen visitor management done well. He's seen it fail. And he has a clear view on where most programs fall short.

We sat down with him to find out what it actually takes to build a visitor program that protects your facilities, not just modernizes your front desk.

Here's what we took away:

Visitor management starts at the perimeter

Security programs don't start at the server rack or the CCTV monitor. They start at the front door.

"One of the hallmarks of a really well-defined security program is it starts at the perimeter. The perimeter of your site is literally the same as it would be of your home. It's the front door. Would you leave the front door of your house open for anybody to walk in?"
‍
— Tim Reed, Director of Security, Aurora Innovation

Once organizations actually start tracking visitor volume, Tim noted, most are surprised by the numbers. And that volume carries real risk if there's no system behind it — no NDA verification, no safety training confirmation, no searchable record for future investigation.

The front desk isn't just a hospitality function. It's the first line of a security program.

The cost of getting it wrong

The case for visitor management is easy to make in the positive. Pre-registration speeds up check-in. Audit logs support compliance. Safety training reminders reduce liability.

But Tim framed it a different way: what's the cost of not having it?

"There's valuable investigative material that gets lost. You run into compliance issues, particularly for institutions that run dual-use or have any sort of government contracts. God forbid somebody gets hurt in one of your buildings — now you have a potential liability that could have potentially been circumvented through safety training at the onset."

He also shared a concrete example: a vendor sending two technicians to do the work of one, and double-billing for it. The team caught it through visitor management logs.

"Once people start to track the number of visitors that are coming in and out of their sites, they're usually pretty surprised at the volume... a vendor [was] sending two people to basically come do the work of one and double billing. We were able to see that through those visitor management logs... and we were able to remedy that problem very quickly from those records."

The data doesn't just protect against threats. It protects against operational gaps you didn't know you had.

Pre-registration isn't friction, it's the program

A common tension: the teams who want visitors moving through as fast as possible versus the security teams who need controls in place. Tim's take is that pre-registration resolves this tension rather than creating it.

"Pre-registration of guests really is something that a lot of our teams enjoy. It speeds up that process, but it still maintains that secure perimeter that we're looking for."

When visitors are pre-vetted, the check-in experience is faster for everyone. NDAs get signed ahead of time. Safety training is confirmed before arrival. The front desk becomes a checkpoint, not a bottleneck.

The goal is showing every stakeholder what they get out of the system — operations, legal, safety, and security teams included.

Block lists, watch lists, and real-time intelligence

One of the most operationally useful features Tim described: block lists that stop flagged individuals before they ever reach a receptionist.

"We do have some problem personnel that are blacklisted on some of our sites. Say, for example, a cleaner gets fired from one company — they may try to go work for another. This is a very quick methodology for us to start vetting people at the front door."

The same infrastructure supports executive protection, legal holds, and cross-site threat coordination. And critically, Tim emphasized that these lists require regular maintenance — not just deployment.

"Auditing your systems is critical. Having them in check is absolutely vital to knowing what's going on. Deploying it is one thing. Making sure it's stable and compliant is entirely another."

What compliance actually looks for

Tim's description of what auditors are really looking for was one of the clearest moments in the conversation.

"Are you actually keeping track of what you say you're keeping track of? Show me the data, show me the logs, show me that they're consistent — show me that they haven't been altered or tampered with in any way. That's what they're really looking for primarily. The data integrity piece, and understanding where it lives, who's got access to it, and how the data is moving back and forth."

This is the gap most visitor management systems leave open. A system built for convenience can produce a sign-in log. A system built as security infrastructure produces defensible, consistent, tamper-evident records that hold up under scrutiny.

Mature programs are portable programs

Tim closed the conversation with a definition of security maturity worth bookmarking.

"Security is a process, not a product. When you look at a security program, could I pick that up and move it into a new site with minimal disruption? Could I deploy it very, very quickly? And if the answer is yes — but — that's the key component.
If yes, I can deploy it here, but we need to aggregate in what has changed from Site A to Site B."

That "yes, but" is the marker of a mature program. One that's built on a strong foundation, adaptable to local context, and consistently auditable across every location.

Watch the full conversation

Tim covered a lot more ground in the full session: managing VIPs and government officials, delivery and package tracking, emergency communications, AI's role in physical security (and its risks), and how to enforce consistent policy across global sites.

Watch the recording on demand →

Want to see what security-forward visitor management looks like in practice? Book a demo with Envoy and walk through pre-approvals, block lists, audit trails, and more.