Bruce Donald, UK and Ireland Country Manager, SimonsVoss explains why true access control goes beyond locked doors.
Many commercial estates believe they have access control ‘covered’.
But behind locked doors often lies a governance gap – limited audit visibility, weak response capability and systems that don’t scale as organisations grow.
Across the UK, thousands of commercial organisations operate in a security space that is rarely defined clearly.
They are not small businesses relying on a handful of keys – nor are they global enterprises with layered security departments. They sit somewhere in between.
Their facilities teams operate multiple sites. They manage contractors and rotating staff. They oversee mixed-use estates – offices, warehouses, industrial units.
They have facilities or estates leads, but they do not have large, centralised security infrastructure.
For these organisations, access security must be flexible and scalable and this is where the hidden risk often sits.
In a recent UK survey conducted by SimonsVoss, most organisations reported having access control systems in place:
On the surface, that suggests access control maturity, but scalable security is not defined by whether a door locks.
It is defined by whether access is structured, accountable and responsive.
When we asked deeper questions, capability gaps became clear:
In multi-site environments, these capabilities are not enhancements, they are foundational.
Without structured, role-based and time-bound permissions, access control becomes fragmented.
Exceptions accumulate, admin increases and oversight weakens.
In my mind, scalability is not about the number of doors you can secure, it is about whether your control model can evolve as your organisation grows.
Security maturity today is defined by accountability. In our survey:
Keys provide restriction – they do not provide visibility.
Even electronic systems can fall short if they are not configured for structured oversight.
When incidents occur – whether that’s theft, safeguarding concerns, unauthorised entry or internal policy breaches – organisations must move quickly from assumption to evidence and this expectation is reinforced by the broader legislative landscape.
The Terrorism (Protection of Premises) Act 2025 – often referred to as Martyn’s Law – emphasises preparedness and proportionate protective measures for those responsible for premises, according to official government guidance.
While the Act applies specifically to publicly accessible premises, it is becoming increasingly clear that demonstrable control and structured preparedness are becoming expected standards in facilities management.
That expectation extends beyond venues to commercial estates and regional operators who must evidence responsible governance.
Perhaps the most striking survey finding relates to dynamic response:
Dynamic lockdown is often perceived as a feature for extreme scenarios.
In reality, it is a governance capability, that allows organisations to:
If response depends on physical keyholders or manual intervention, security becomes reactive rather than controlled – and for organisations operating across multiple sites, that delay compounds risk.
Commercial estates operating at regional or national scale often manage complex access demands with lean teams.
They must balance: Cost control, operational continuity, staff safety, contractor oversight and governance expectations.
Industry analysis continues to highlight operational efficiency and business continuity as core pressures across facilities management.
Meanwhile, RICS’ UK Facilities Management Survey reflects increasing professionalisation and structured performance measurement within estates functions.
Security systems must support this evolution and access control should not create administrative drag.
It should: Centralise permission management, support structured role and zone rules, enable instant revocation, provide searchable audit trails and scale across sites without increasing headcount.
One of the most persistent misconceptions is that achieving structured access governance requires enterprise scale infrastructure or disruptive transformation programmes.
Modern digital locking systems can be retrofit-friendly and deployed in phases, reducing disruption and enabling faster time-to-value.
Security does not need to become an enterprise project to deliver enterprise-grade control.
The organisations most exposed today, are not necessarily those without access control.
They are those with locked doors, but limited oversight.
For multi-site commercial estates, resilience is defined by clarity.
Clarity about who can access what and clarity about how quickly control can be reasserted.
In modern commercial environments, the strength of the lock is only part of the story – it is the visibility and scalability behind it that defines true security maturity.
