(855) 440-5353Get a Quote
HomeServices
Access Control SystemsVideo Surveillance SolutionsStructured Cabling SolutionsAlarm SystemsIntercom SystemsVirtual Guard ServicesPAXCare PlansSmart LocksSystem Takeover
AboutCase StudiesLearnContact
Get a Quote(855) 440-5353
Knowledge Base
Access ControlFor Property Managers

Who Actually Has Access to Your Building Right Now?

Not who should have access -- who does. Most buildings cannot answer that question cleanly. Here is what a real access audit looks like and why the gaps are almost always hiding in plain sight.

PAX Security6 min readMay 15, 2026
Quick Answer

Most commercial buildings have more active credentials in circulation than they realize -- old employees, former vendors, shared fobs, and duplicate keys that never got collected. A real access audit means pulling every active credential from your system, checking it against your current roster, and revoking anything that should not be there. It takes a few hours and almost always turns up surprises.

Key Takeaways

  • 1The gap between who should have access and who does is almost always larger than property managers expect
  • 2Shared fobs and uncollected keys are the most common and most overlooked access risk in commercial buildings
  • 3A real audit requires pulling a full credential report from your access system -- not just reviewing a paper log
  • 4Modern cloud-based access control lets you revoke a credential in seconds from anywhere -- legacy systems often require a technician
  • 5Access audits should happen whenever staff turnover occurs, not just once a year

Ask most property managers who has access to their building and they will tell you: current tenants, the cleaning crew, and a few vendors. Ask their access control system the same question and the list is almost always longer.

The employee who left six months ago. The contractor who finished a job in February and never returned the fob. The former tenant whose key was never collected at move-out. The vendor who was given access for a one-week project and is technically still active in the system.

None of this is dramatic. It is just how buildings drift when access management is manual and nobody is responsible for keeping the list current.

Why the list grows without anyone noticing

Adding access is fast and easy. Removing it requires someone to remember to do it, have the time to do it, and know how to do it in whatever system you are using. That asymmetry is where the problem lives.

In buildings with older key card or fob systems, there is often no central dashboard that shows every active credential at once. Deactivating a card requires physical reprogramming of the panel or a service call. So it does not happen consistently -- and over time the gap between who is in the system and who should be in the system quietly widens.

What a real access audit looks like

Pull a full credential report from your access control system. Every active card, fob, PIN, or mobile credential that can currently open a door in your building. Most modern systems can export this as a spreadsheet.

Then compare it against your current tenant list, employee roster, and approved vendor list. Anything that does not match gets flagged. Anyone who left without returning a credential gets revoked. Vendors whose project ended get revoked. Shared credentials -- one fob used by multiple people -- get investigated.

This is not a complicated process. It is just time -- usually a few hours for a mid-sized building. And it almost always turns up credentials that should have been removed months ago.

Shared fobs: the risk that feels small but is not

Shared fobs are common in buildings where tenants or staff share a common area or storage space. One fob, multiple users. The problem: when you need to revoke access for one person, you have to replace the credential entirely -- which means reissuing it to everyone else who uses it.

Because that is inconvenient, it does not happen. The credential stays active. The person who should no longer have access still does, because removing them would disrupt everyone else on the same fob.

Mobile credentials solve this cleanly. Each person gets their own credential tied to their phone. Revoke one user and no one else is affected. You can also see exactly who used a door and when -- which a shared fob can never tell you.

Making access management something you can actually keep up with

The buildings that stay on top of access are the ones where it is easy to act. Cloud-managed systems -- Brivo, Verkada, Openpath -- let you add or revoke a credential in under a minute from a browser or an app. No technician. No panel programming. No service call.

When removing a credential is that fast, it actually gets done. An employee gives notice on a Friday and their access is gone before they leave the building. A vendor finishes a job and their credential is revoked the same day. That is what a controlled building looks like -- not because of discipline, but because the system makes the right thing easy.

Your Checklist

  • Pull a full active credential report from your access control system today
  • Compare every credential against your current tenant, employee, and vendor list
  • Revoke anything that does not match
  • Identify all shared credentials and assess whether individual credentials are feasible
  • Set a calendar trigger to repeat this review at every staff change and tenancy turnover -- not just annually

Common Mistakes to Avoid

Doing access reviews once a year instead of at every personnel change

Treating a missing fob as a minor inconvenience instead of a security event

Not knowing how many active credentials your system has

Frequently Asked Questions

How do I pull an active credential report from my access control system?

It depends on the platform. Most modern systems -- Brivo, Verkada, Openpath, Lenel, Genetec -- have a user or credential report in the admin dashboard you can export as a CSV. If you cannot find it, your installer or the platform support team can walk you through it in a few minutes. If your system has no reporting capability at all, that is a gap worth addressing.

What should I do if I find credentials that should have been revoked?

Revoke them immediately and note when they were supposed to have been removed. If the same person shows activity in your access logs after their employment or tenancy ended, that is worth documenting and potentially escalating. Most of the time it is an oversight, not an incident -- but you should know either way.

How often should a commercial building do an access audit?

At minimum, quarterly. In practice, the cleanest buildings tie access reviews to specific events: end of a tenancy, staff offboarding, end of a vendor engagement. If you make the review part of your offboarding checklist rather than a standalone task, it is much harder to skip.

Can I switch to mobile credentials without replacing my whole access control system?

Sometimes. Some systems support mobile credentials as an add-on to existing hardware -- you can issue phone-based credentials alongside physical fobs without changing the readers or the panel. Others require new hardware. We can assess your current setup and tell you what the upgrade path looks like.

Related Services

Access Control SystemsVideo Surveillance SolutionsPAXCare Plans

Want help running an access audit on your building?

We can pull the credential report, flag what does not belong, and get your system cleaned up -- usually in a single visit. Licensed in NY and NJ.

Talk to Our Team(855) 440-5353