The badge isn't enough: 6 lessons from security leaders on closing workplace blind spots

Over the past few weeks, Envoy sponsored two BDI lunches with security, compliance, and operations leaders. One in Minneapolis on May 19. One in Boston on June 3. Different cities, different industries, same conversation.

The Minneapolis panel covered the hidden cost of risk: silos, AI governance, crisis response, and audit-proofing. The Boston panel went deeper on what happens beyond the front door: regulated environments, multi-signal identity, watch lists, and mustering when it counts.

The throughline across both: workplace risk has outgrown any single team. Physical security, cyber, compliance, AI, and crisis response all overlap now. The organizations getting it right are the ones breaking down silos, practicing failure, and demanding evidence their controls actually work.

Here are six quotes, takeaways, and learnings worth bringing back to your team. 🎯

1. Silos are the real blind spot

Catherine Liu, Senior AI Risk Manager at U.S. Bank, set the tone in Minneapolis.

"Blind spots, in my opinion, come from having internal silos and you don't know, from the bigger picture, what the impact is. You know your own space, but you don't know what is upstream, downstream, and what could go wrong. Right now I work in the AI security space; when you do not quite know who is owning it and where the AI solutions are being deployed, and who's using it in terms of accountability and data lineage, that's where the security gaps are coming from."

Her team has more than 700 AI use cases in the pipeline. To keep up, she built a hub and spoke model that trains the entire audit org to recognize AI risk and surface the right signals.

In Boston, Bridget Scott Akinc, VP of Strategy & Enablement at Envoy, framed the same problem from the visitor side. Most companies have employees in HRIS, devices in IT, badges in facilities, and visitors in a paper log. None of those systems talk to each other.

Takeaway: Define who owns each risk, who escalates it, who makes decisions, and who documents the outcome. If those four roles aren't named, you have a gap.

2. Practice failure before failure finds you

Jeff Beahen, Senior Director of Security at the Minnesota Twins, walked through Opening Day 2026. Target Field lost full power minutes after gates opened. 38,000 fans on the way in, dead scanners, stuck elevators, stuck escalators, and a substation that had literally exploded.

"We have generator tests, but we've never actually killed the power. The Astros told us they do it at 4am. They shut it off and see what doesn't come back on."

The biggest failure wasn't the outage. It was the decision-making.

"We had people on the fourth floor making decisions. We had people on the third floor making decisions. Unified command broke down."

In Boston, Asiem Bhaskar, Senior Manager of Laboratory & Facilities Services at Arbor Biotechnologies, described a recent chemical near-miss in his lab.

"We knew which room it was in. We knew which approved users were in that room. The next notification was to evacuate immediately. As an added feature, we disabled the badges to that room until the safety officer cleared it."

For their quarterly fire drills, Asiem does three head counts: badge data before the alarm, a physical count at the rally point, and a final sweep before re-entry.

Takeaway: Playbooks aren't plans until you've run them under pressure. Stress-test your systems and your decision-makers together, in the same room.

3. Your best pen testers are already on payroll

Jeff's team hires a high-end firm out of California to run physical penetration tests at Target Field. They're excellent. They're also expensive. His point for the rest of us:

"Wear a uniform. Carry a clipboard, a thermometer, or a plunger. You're going to get in."

Thomas Hogan, Facilities Manager at Aleto, said the most honest threat assessment doesn't come from a consultant at all. It comes from the people closest to the gaps.

"Grab your low-level IT folks who've been there a year or less. The gung-ho ones. Sit them at a table with their supervisor in the corner, not allowed to speak. Ask them how they'd break in. You'll get terrifying answers. Those are the ones you want."

Thomas added the culture point that makes the exercise actually work: "Don't be afraid to speak up." The growing instinct in new hires is to wait for permission to talk. That waiting is a gap.

Takeaway: Your sharpest pen testers might already be on payroll. Give them a room, a question, and cover to be honest.

4. A badge alone isn't identity anymore

This was the central theme in Boston. Badges have been around for decades, but they're a single moment in time. People hold them up to readers they're not authorized to use. Contractors stay in the system long after their project ends. And the wave-through is everywhere.

Derek Anderholm, IT Operations Manager at Arbor Biotechnologies, said his security operations center catches the digital version of this every week.

"Our SOC flags impossible travel. If someone logs in from Cambridge and then ten minutes later from Australia, we lock it down."

The fix on both sides is the same: stop relying on a single signal. Combine badges with Wi-Fi presence, identity verification, watch lists, and anomaly detection. If a FedEx driver shows up on a Sunday and you don't ship on Sundays, that should trigger an alert at the front desk, not a wave-through.

Bridget Scott Akinc, VP of Strategy & Enablement at Envoy, shared a real example from a logistics customer of Envoy.

"They were rehiring drivers they'd already let go for theft. Why? Their staffing agency verified the driver's license, but didn't have the history. A simple watch list solved it."

Takeaway: Treat physical access the way IT treats identity. Multi-signal, time-bound, and tied to actual presence, not just a piece of plastic.

5. AI governance starts with ownership, not tools

The Minneapolis room kept coming back to one pattern: employees pasting sensitive data into AI tools without realizing it.

"We had payroll information being uploaded. Policies from different departments. People were just trying to update things and make them look good."

Catherine framed the fix.

"Doing the right thing is one thing. Demonstrating you're doing the right thing to auditors and regulators is another. If you're only producing artifacts when someone asks, you're already halfway at failure mode."

In Boston, the same logic showed up in a regulated environment. Arbor's IND filing required a fully restricted QC space with a known list of approved users, segregated instruments, and a real-time audit trail of every badge swipe. The governance had to be designed in, not bolted on.

Takeaway: AI governance, like access governance, is an ownership problem before it's a tooling problem. Map who owns the model, the data, the use case, and the evidence. Then automate.

6. Reaching every employee in 60 seconds is a security control

Jeff described a recent attack on a Twin Cities corporate office. Employees got a text, an email, and a phone call from numbers that looked like the home office, all within minutes, all saying there was a cyber incident and they had to act fast.

"These people were extraordinarily good. They convinced very intelligent people to do things that weren't good."

The attackers were calling employees' parents to track them down. What stopped the damage was a fast, all-staff broadcast on a separate channel telling people to ignore everything else and shut their machines down.

The Twins use the same approach for non-cyber events. After last year's tragedy involving Minnesota Representative Melissa Hortman and her husband, Jeff's team pushed a statewide alert to every employee within minutes using Envoy. They've done it for California wildfires too.

"It's affirming to the employee. If I got this four different ways, this might be real."

In Boston, Bridget pointed out the missing piece most companies still get wrong: emergency alerts that go to an HR list miss the people most exposed in the building. Contractors, vendors, auditors, and customers visiting for the day aren't in HRIS. If your muster list pulls from HR alone, you're sending a fire drill alert to someone vacationing in Germany and skipping the auditor in the lobby.

Takeaway: Treat your ability to reach every person on site in 60 seconds as critical infrastructure. Build it on real-time presence, not yesterday's directory. Then practice it before you need it.

The bottom line

The strongest teams practice, name ownership clearly, and connect their systems so every person on site is accounted for. Whether the risk is a bad actor with a clipboard, a substation fire, a chemical incident, or an employee pasting payroll into a chatbot, the answer is the same. Prepare. Document. Share.

Thanks to Matt Tverberg and Bridget Scott Akinc for moderating, and to Catherine Liu, Jeff Beahen, Thomas Hogan, Asiem Bhaskar, and Derek Anderholm for the candor.

Want to see how Envoy connects badges, visitors, Wi-Fi, and emergency notifications into one secure workplace platform? Learn more about Envoy.