Your identity team retired the VPN, rolled out phishing-resistant MFA, and wrote “zero trust” into the security strategy the board approved. Then everyone badged into the building through a reader that would accept the same card if a stranger held it.
The roadmap in one sentence: extending zero trust from the network to the door means treating physical entry as one more access request in your identity program — verified against the person, logged as evidence, and rolled out in waves starting where implicit trust costs most. Here is that roadmap as CISOs actually run it, in five stages.
Stage 1: Put doors on the zero trust map
Most zero trust programs inventory applications, data, and network segments and stop. Add the physical layer: which doors protect the assets already on your map? The server room holding the crown-jewel systems, the labs with regulated data, the residence halls where duty-of-care lives. The exercise usually surprises: the most rigorously protected data on campus frequently sits behind the least verified door — a mismatch covered in depth in the research-lab post. If you need the doctrinal grounding for stakeholders first, start with the definition.
Stage 2: Score doors by implicit-trust cost
Rank each mapped door by what a shared, cloned, or tailgated credential costs there. High: research labs, data centers and IT closets, health-center back-of-house, residence halls. Medium: faculty and administrative offices, athletics staff areas. Throughput-driven: dining, recreation, stadium gates — where the case is speed as much as security. The scoring output is your wave plan, and it’s also your budget narrative: dollars follow the doors where the current system’s silent failures are most expensive.
Stage 3: Pick verification that fits the campus
The verification layer must satisfy constraints the enterprise version of this roadmap never faces: a population that shares credentials casually, a privacy culture that will litigate the word “surveillance” in the student paper, and an access control investment nobody will fund replacing. Practically, that means one-to-one facial authentication — opt-in, liveness-checked, matched at the edge in under a second — presenting to your existing ACS as a standard reader over Wiegand or OSDP. Enrollment take-up is a communications exercise as much as a technical one; run the privacy-first playbook in parallel with procurement, not after it.
Stage 4: Deploy in waves, keep the fallback
Wave one is the high-cost doors from stage 2 — typically a small fraction of campus doors covering a large fraction of risk. Badges remain live everywhere, permanently: they are the opt-out path, the failure mode, and the reason the project never has to win a mandatory-biometrics fight. Wave one’s telemetry funds wave two: tailgating events at equipped doors give you the first honest measurement of unverified entry your campus has ever had, and that number briefs itself.
Stage 5: Converge the identity lifecycle
The end state ties door identity to the same joiner-mover-leaver process that governs accounts: enrollment at onboarding (opt-in), access scoped by the ACS policies you already maintain, and departure or revocation triggering template deletion with an auditable consent record. At that point physical access stops being a parallel universe and becomes another relying party of the identity program — which is what “zero trust” meant all along.
A limitation to keep the roadmap honest: doors involve fire code, ADA requirements, and facilities politics that network rollouts never met. Budget time for the AHJ conversation and the door-hardware survey; the reader is the easy part.
Ready to scope wave one? The self-assessment checklist generates the door list — then book a demo with your ACS details and we’ll map the integration.
Frequently asked questions
Where should a campus start extending zero trust to doors?
With inventory: map every controlled door to the assets and populations behind it, then score doors by what a shared, cloned, or tailgated credential costs there. Wave one is the highest-cost doors — typically research labs, data rooms, and residence halls.
Do badges go away under a zero trust rollout?
No. Badges remain live everywhere, permanently — they are the opt-out path, the failure fallback, and the reason the program never has to fight a mandatory-biometrics battle. Zero trust removes implicit trust from high-risk doors, not options from people.
What makes the first deployment wave successful?
Scope it to the doors your own risk scoring ranked highest, run the privacy communication in parallel with procurement, and instrument it: tailgating events at equipped doors produce the first honest measurement of unverified entry, and that data funds wave two.