Access Granted: Why Your Strongest Controls Fail at the Front Door
In a recent Cyberside Chats discussion, LMG Security’s penetration testing team described how they routinely gain access to corporate environments not through exploits, but through people.
One recent engagement illustrates the point clearly.
They could.
LMG Security’s testers entered the building without being challenged, moved through multiple areas, and located the Easter eggs without triggering any concern. No one questioned why they were there, and no one reported the objects that had been deliberately placed as indicators.
That outcome is more instructive than any exploit chain, not because a specific control failed, but because the controls that existed depended on behaviors that didn’t hold up in practice.
This is not an edge case. Verizon’s 2024 Data Breach Investigations Report found that 76% of breaches involve the human element, including social engineering and misuse. What this test shows is how that statistic actually plays out in a real environment: not as a single failure, but as a sequence of small, reasonable decisions that collectively allow access to expand.
Initial Access Is Still a Human Decision
The podcast makes an important distinction: these engagements are not about defeating controls at the point of entry. They are about navigating how people behave in normal situations.
“We’re not here to pick locks… we’re here to bypass people,” as Tom Pohl put it.
That distinction shows up immediately in how access is gained. Techniques like tailgating, following an authorized employee through a secured door, don’t rely on technical gaps. They rely on social dynamics that most organizations implicitly accept.
An employee at the door is not thinking about access control enforcement. They are deciding whether to create friction. Holding the door open is the default because it aligns with how people are expected to behave in a workplace.
From a policy perspective, tailgating is prohibited. From a cultural perspective, it is often normalized. That gap is not theoretical, it is where initial access actually happens.
How Trust Expands Once Entry Is Granted
Once inside, the dynamic shifts quickly.
The testers described how credibility builds through small, compounding signals: using the right language, referencing internal context, matching the tone and pace of the environment. None of these techniques are sophisticated, but they are effective because they align with expectations.
What matters is not whether access was formally granted. What matters is whether the individual is treated as if it was.
Once that perception takes hold, it tends to propagate. Employees stop reevaluating access and instead assume it has already been validated. Movement becomes easier. Questions become less likely.
By the time the testers were locating the Easter eggs, they were no longer navigating entry points, they were operating within an accepted identity.
This transition, from unknown to unquestioned, is where most organizations lose control. It is also where security culture becomes operational: it determines how quickly trust is extended, and how rarely it is challenged once established.
As the Microsoft Digital Defense Report 2025 notes, “Threat actors are no longer trying to force their way in, they’re blending in.” In practice, that doesn’t require sophistication. It requires behaving in a way that fits well enough that no one feels compelled to question it.
What the Test Actually Demonstrates
It’s easy to interpret this as a physical security issue. That interpretation misses the broader point.
The test demonstrates how trust is established, extended, and left unexamined.
Across the engagement, the same conditions appeared:
- Implicit trust at entry — Presence was treated as sufficient proof of authorization, without meaningful verification.
- Unrestricted internal movement — Once inside, testers moved between areas without being challenged or escorted.
- Accessible systems and endpoints — Unlocked workstations, shared devices, and open network access points created immediate opportunities.
- Weak internal controls on identity and activity — After entry, there was little validation of what the testers were doing or where they were going.
These are not unusual gaps. They are the natural result of environments where trust is assumed and rarely revisited.
Why These Controls Degrade Over Time
Most organizations implement the right controls. Badge systems are deployed. Visitor processes are defined. Policies are documented and communicated.
Over time, those controls are shaped by how people actually use them.
Employees optimize for efficiency. They reduce friction where possible. They make judgment calls in ambiguous situations. And unless there is immediate feedback when something goes wrong, those behaviors become the norm.
This is where security culture operates: not as an abstract concept, but as a set of reinforced behaviors.
A control that depends on human enforcement is not defined by the policy. It is defined by what people consistently do under normal conditions.
If holding the door is easier than challenging someone, that becomes the control.
The Visibility Problem
From a detection standpoint, none of this is visible in the systems security teams rely on.
There is no alert for a door being held open, a badge issued with minimal verification, or a conversation that establishes credibility.
Security programs are built around telemetry, but initial access in these cases occurs outside of those signals.
By the time activity reaches a monitored system, the attacker is already operating within an accepted level of trust.
This creates a structural gap. Detection capabilities can identify malicious activity, but they do not address how access is granted in the first place.
These patterns are consistent across environments and engagements. For security leaders, they translate into a set of practical considerations:
- Test human controls with the same rigor as technical controls
If social engineering and physical access are not actively tested, the organization is relying on assumptions about how people behave under real conditions. - Treat presence as an input, not proof
Being inside the building should not automatically confer legitimacy. Physical access should be the beginning of validation, not the end of it. - Design controls for real behavior, not ideal behavior
Policies assume compliance; environments reflect shortcuts. Controls need to account for how people actually operate under time pressure and ambiguity. - Limit how far trust propagates after entry
Most environments extend trust too broadly once access is granted. Segmentation, monitoring, and validation should continue inside the perimeter, not stop at it. - Train for decision-making under ambiguity
Employees rarely face obvious threats. They face situations that feel slightly off. Training should focus on how to act in those moments, not just how to recognize clear violations. - Use testing to expose what policy cannot
Documentation shows how controls are intended to work. Testing reveals how they actually behave when they interact with people, process, and environment.
Conclusion
There was no exploit in this test. No alert fired, and no control failed in a way that would appear in a dashboard. An unauthorized individual entered the building, moved through the environment, and completed their objective without resistance.
At that point, the question isn’t whether controls exist. It’s how they behave once someone appears to belong.
That is also what makes this class of risk difficult to evaluate from documentation alone. Policies describe how controls are intended to work, but they don’t capture how those controls are applied in real situations. The gap between the two is not theoretical, it’s operational, shaped by how people make decisions under normal conditions.
