Smart Building Access Through Continuity

1. Regulatory and Compliance Framework

Smart-building physical access sits at the intersection of three converging regulatory regimes that current credential-centric architectures struggle to satisfy simultaneously. The first is the data-protection regime: GDPR Article 9 classifies biometric data processed for the purpose of uniquely identifying a natural person as a special category requiring an explicit lawful basis, a documented data-protection impact assessment under Article 35, and storage-limitation discipline under Article 5(1)(e). The Information Commissioner's Office and the European Data Protection Board have repeatedly flagged stored biometric templates used for building access as high-risk processing, and the EDPB Guidelines 05/2022 on facial recognition treat the enrollment-template-matching architecture as the worst-case configuration because the template is permanent, the subject cannot revoke it, and breach exposure is irreversible.

The second is the cybersecurity regime: NIST SP 800-116 Revision 1 governs the use of PIV credentials in federal physical access systems and requires authentication factor binding, credential lifecycle management, and revocation infrastructure. ISO/IEC 27001:2022 Annex A.7 (physical and environmental security) and Annex A.5.15 through A.5.18 (access control) require organizations to maintain an authoritative inventory of issued credentials, verifiable revocation, and audit logs sufficient to reconstruct access events. ISO/IEC 27002:2022 control 7.2 specifically addresses physical entry and demands continuous validation of authorization, not merely the validity of the token presented at the door. NIS2 (Directive (EU) 2022/2555) extends material cybersecurity duties to operators of essential and important entities, including building-services providers in critical sectors, and treats access-control failure as a reportable incident category.

The third is the AI-and-automation regime: the EU AI Act categorises remote biometric identification systems used in publicly accessible spaces as either prohibited (real-time, law-enforcement context, Article 5) or high-risk (Annex III, point 1), in either case imposing conformity assessment, risk management, post-market monitoring, and human-oversight obligations. Annex III point 1 catches biometric categorization and emotion recognition deployed in the workplace context, which is exactly the configuration most modern smart-building access vendors are converging on. SOC 2 Common Criteria CC6.4 (restrict physical access to facilities) and CC6.5 (logical and physical access protection) require credentialed-evidence trails that withstand independent attestation. Together these regimes mean a smart-building operator deploying credential-and-template architecture today is simultaneously holding GDPR Article 9 special-category data, NIS2-reportable cybersecurity exposure, and EU AI Act Annex III high-risk-system obligations, with a SOC 2 auditor expecting structural evidence that none of those is being mishandled.

NFPA 101 (Life Safety Code) and NFPA 730 (Premises Security) impose orthogonal constraints: access systems must fail safely under emergency conditions, must permit egress without credentials, and must not become the cause of harm during fire, evacuation, or active-shooter scenarios. The cumulative regulatory floor is therefore higher than any single statute would suggest, and credential-centric architectures struggle to meet it without expensive procedural compensation.

2. Architectural Requirement

The architectural shape that satisfies the cumulative regulatory floor has six properties that are not independently negotiable. First, no permanent stored secret should be required to authorize entry, because any permanent stored secret is breach-exposed under GDPR storage-limitation discipline and NIS2 incident reporting. Second, authorization must derive from observable continuity rather than from a token, because tokens are transferable and continuity is not. Third, the system must produce graduated outcomes rather than binary admit-or-deny, because EU AI Act Annex III high-risk classification requires human-oversight points that are meaningless when the only decision is binary. Fourth, lineage must survive vendor migration, because ISO/IEC 27001 audit-grade history must outlast any specific access-control product lifecycle.

Fifth, the architecture must compose hierarchically across tenant, building, campus, and jurisdiction scopes, because multi-tenant buildings, mixed-use developments, and operator coalitions have authority taxonomies that current systems flatten into single-vendor databases. Sixth, the architecture must distinguish authorization from actuation, so that a denied entry, a deferred entry, and a partially granted entry (lobby yes, executive floor no) are first-class outcomes rather than workflow exceptions handled outside the access-control system.

What no current vendor architecture provides is the substrate that ties these six properties together as structural conditions of the platform itself rather than as procedural overlays. Honeywell, Johnson Controls, Lenel, Genetec, HID, Verkada, and Brivo each ship excellent products against the credential-centric model; none of them ships a primitive in which authorization is computed from observable continuity, weighted by authority class, and admitted as a graduated outcome that is recursively re-entered as evidence.

3. Why Procedural Compliance Fails

Every physical access control system depends on credentials that can be transferred. A key can be copied. A card can be cloned. A PIN can be shared. A biometric template can be spoofed. Mobile credentials stored on phones are more convenient but inherit the vulnerabilities of the phone's security model. The credential is the identity, and credentials are inherently separable from the person they represent.

Building access management is operationally expensive because credentials must be issued, tracked, revoked, and replaced. When an employee leaves, their credentials must be deactivated across every access point. When a contractor needs temporary access, a credential must be provisioned and later revoked. When a credential is lost, every door it could access becomes a potential vulnerability until the credential is replaced and the lost one is deactivated. The compliance burden is therefore continuous rather than point-in-time: a single failure to revoke promptly is a SOC 2 finding, an ISO/IEC 27001 nonconformity, and potentially a NIS2-reportable cybersecurity incident.

Multi-tenant buildings face a compounded version of this problem. Each tenant manages its own access control for its spaces, but shared spaces like lobbies, parking structures, and conference facilities require cross-tenant credential management that no single tenant controls and no building management system handles gracefully. The procedural compensation is invariably a master credential held by building services, which becomes a single point of breach exposure that no insurance carrier underwrites cheaply.

Biometric access control, fingerprint readers, facial recognition, and iris scanners, eliminate the transferability of physical credentials but create stored biometric templates that present their own vulnerabilities. A stolen biometric template cannot be revoked because the biometric is the person. A spoofed fingerprint or a deepfake face can defeat systems that match against stored templates. Under GDPR Article 9 the template itself is special-category data; under EU AI Act Annex III the matching system is a high-risk AI system; under NIS2 the breach of the template store is a reportable incident. The compliance cost of holding biometric templates has therefore overtaken the operational benefit of biometric access in regulated jurisdictions.

More fundamentally, biometric systems require enrollment: a point-in-time capture that creates the stored template. The system trusts the template because it was captured during a controlled enrollment process. But the ongoing relationship between the person and the template is based on static matching, not on behavioral continuity. A person who presented a valid fingerprint at enrollment is trusted every time that fingerprint matches, regardless of whether the person's behavior is consistent with their established pattern. The procedural overlay required to detect impersonation after a successful template match is exactly the human-oversight and post-market-monitoring obligation the EU AI Act now imposes by statute, with no architectural support inside the access-control product to satisfy it.

4. What the AQ Keyless-Identity Primitive Provides

The Adaptive Query keyless-identity primitive, disclosed under USPTO provisional 64/050,895, derives access authorization from accumulated behavioral continuity rather than from possession of a credential or match against a stored template. There is no credential to present, no template to match, and no enrollment event that creates a static reference. The person's identity is their accumulated trajectory of interactions with the building's systems: movement patterns, device associations, timing characteristics, and environmental signals. Each interaction is a credentialed observation within a published authority taxonomy (employee, contractor, visitor, emergency responder), and the trust slope is the time-weighted aggregation of those observations.

The trust slope strengthens with each legitimate access event. A person who has been entering the building at consistent times, following consistent movement patterns, and interacting with building systems in consistent ways has a strong trust slope. An unauthorized person attempting to use the same access point has no accumulated trajectory and cannot forge one because each link in the chain depends on entropy sources specific to the actual person's interactions: elevator-call timing, badge-area presence detection, Wi-Fi association patterns, HVAC zone occupancy, and lighting-system response history. The chain is not a single secret to be stolen; it is a recursive evidential structure that must be lived to be carried.

Access decisions are continuous rather than binary. Instead of a single credential check at the door, the system continuously evaluates the person's behavioral trajectory against their established pattern and produces a graduated outcome from a defined mode set: permit, permit-with-monitoring, defer-pending-corroboration, partial-permit (e.g. lobby admitted, executive floor escorted), or refuse. Anomalous behavior, entering at an unusual time, accessing an unusual floor, or exhibiting movement patterns inconsistent with the established trajectory, drives the outcome down the graduation rather than triggering a binary alarm.

The primitive is technology-neutral with respect to the underlying sensors (any building-systems telemetry, any signature scheme, any storage backend) and composes hierarchically across tenant, building, campus, and operator-coalition scopes. Each scope maintains its own authority taxonomy, and trust slopes are scope-local with explicit cross-scope composition rules. The recursive closure is load-bearing: every access event produces actuation-state observations (door opened, elevator called, floor reached, dwell time recorded) that re-enter the chain as inputs to subsequent evaluations, so the system's evidence base grows monotonically with legitimate use and degrades structurally under impersonation attempts.

5. Compliance Mapping

Against GDPR Article 9, the keyless-identity primitive eliminates the special-category-data exposure because no biometric template is stored: trust slopes are computed from operational telemetry already collected for building-management purposes, and the per-subject continuity record is a derived structure that can be deleted, regenerated, and bounded under Article 5(1)(e) storage limitation. The Article 35 data-protection impact assessment becomes tractable because the processing is no longer "uniquely identifying a natural person" within Article 9 — the system identifies a continuity, not a body.

Against ISO/IEC 27001:2022 Annex A.7 and A.5.15-A.5.18, the credentialed-observation chain produces audit-grade history that satisfies access-control inventory and revocation requirements without an issued-credential database. Revocation under the keyless model is structural: an employee's trust slope decays through absence rather than requiring active credential deactivation across every access point. NIST SP 800-116 PIV interoperability is preserved as an optional authority class — federal-issued PIV remains a high-weight observation within the chain rather than the sole gate. ISO/IEC 27002:2022 control 7.2 (continuous validation of authorization) is satisfied by construction because authorization is continuous in the architecture, not periodic.

Against the EU AI Act, the architecture sidesteps the most onerous Annex III obligations by not performing remote biometric identification: the system is a behavioral-continuity governance substrate, not a biometric categorization system. Where biometric inputs are used at all, they are credentialed observations within a broader chain rather than the determining match, which materially reduces the conformity-assessment surface and aligns with the human-oversight requirements of Article 14. Against NIS2, the absence of a stored-secret database removes the most common reportable-incident category for access-control breaches; lineage records provide the post-incident reconstruction NIS2 Article 23 demands.

Against SOC 2 CC6.4 and CC6.5, the lineage chain is structurally tamper-evident and cross-authority auditable, providing the credentialed-evidence trail SOC 2 examiners increasingly demand. Against NFPA 101 and NFPA 730, the graduated-outcome mode set explicitly includes emergency-egress, fail-safe, and life-safety states as first-class chain outcomes rather than overrides bolted onto a binary system.

6. Adoption Pathway

A smart building deploying keyless access integrates trust slope evaluation into existing building infrastructure: elevator systems, door controllers, lighting systems, and HVAC zones. Each system contributes to and evaluates the occupant's behavioral trajectory. No separate access control hardware is required beyond the building systems that already exist, which means the capital expenditure profile is incremental rather than rip-and-replace, and the integration follows BACnet, Modbus, and OPC UA boundaries already defined by the building-automation stack.

For building operators, keyless access eliminates credential management overhead. No cards to issue, track, or revoke. When an employee leaves, their trust slope naturally decays through absence. No active deactivation is required. When a visitor arrives, their trust slope begins building from the moment they enter, providing graduated access that increases with legitimate presence. The operational savings appear in three line items: credential-issuance labor, lock-and-rekey expense, and the insurance premium associated with credential-loss exposure.

For multi-tenant buildings, each tenant's space operates as a trust scope. The building's common areas have their own trust scope. Occupants build trust slopes within the scopes they legitimately use. Cross-tenant access is governed by the trust relationships between scopes, not by cross-tenant credential management. This dissolves the master-credential problem that has historically been the largest insurance-relevant exposure in commercial real estate.

For security teams, the continuous behavioral evaluation provides richer intelligence than binary access logs. Instead of knowing that a credential was presented at a door, the system provides a continuous behavioral assessment of every occupant, detecting anomalies that credential-based systems cannot identify. The forensic posture against a post-incident regulator is structurally stronger because the chain admits reconstruction of any state at any past time with credentialed evidence rather than reliance on the integrity of a vendor-controlled audit log.

The adoption pathway is staged: first, deploy the keyless substrate alongside the incumbent credential system as an evidential overlay producing graduated-outcome recommendations to the existing access-control product; second, migrate low-stakes scopes (visitor management, common-area access, parking) to keyless authorization while retaining credentials for executive and high-security scopes; third, retire credentials in scopes where the trust-slope record has reached a stable evidential maturity. Each stage produces compliance-relevant evidence — DPIA artifacts, ISO/IEC 27001 audit findings, SOC 2 Type II observations — that supports the next stage. The endpoint is a building whose access architecture satisfies GDPR, NIS2, EU AI Act, ISO/IEC 27001, and SOC 2 simultaneously without procedural compensation, because the architectural floor was raised by the substrate rather than papered over by policy.