The boundary between IT (“logical” access) and OT/facility security (“physical” access) is disappearing. Identities now span cloud apps, data centers, substations, pumps, and doors. To stay resilient, critical entities need one identity fabric that governs both domains with the same policies, telemetry, and accountability.
Key2XS sits at the center of this shift: it connects electronic key and cylinder systems (e.g., ASSA ABLOY CLIQ, iLOQ) with leading IAM platforms (Microsoft Entra ID, SailPoint, Okta, One Identity and others), so you can govern real-world access with the same rigor you apply to systems and data.
The Key2XS platform is protected by several patents pending, ensuring its unique approach and innovation remain unmatched in the market.
1) Shared risk surface. Hybrid attacks blend credential abuse with on-site manipulation (e.g., opening a cabinet to plug in a rogue device). Treating logical and physical access separately leaves blind spots.
2) Regulation & accountability. Frameworks like NIS2 and the CER Directive require provable control over identities, suppliers, and incidents across IT and OT.
3) Workforce dynamics. Contractors and mobile crews need time-bounded, context-aware access both to apps and to assets in the field.
4) Tech maturity. Modern IAM, policy engines, and electronic keys now support real-time provisioning, revocation, and audit at scale.
One identity, one policy, everywhere.
Authoritative source: HR/IAM is the “single source of truth” for people, roles, and lifecycle events.
Policy portability: The same role/attribute rules that grant a user SCADA read-only access also grant the right physical keys for the right doors, cabinets, and padlocks.
Just-in-time (JIT) & least privilege: Keys activate only when needed, for specific jobs and time windows, then expire automatically.
Unified telemetry: Door events and key audit trails stream into the SOC alongside identity and endpoint signals for correlation and response.
Automated revocation: Terminate or offboard once in IAM; both badge/keys and app access are removed instantly.
IAM / IGA (Entra ID, SailPoint, Okta, One Identity, OpenText/NetIQ and others) holds identities, roles, and SoD policies.
Translates IAM roles into granular physical permissions.
Provisions/updates electronic keys and cylinders (e.g., ASSA ABLOY CLIQ, iLOQ).
Collects audit trails and pushes events to SIEM/SOAR.
Applies AI assistance to propose keyplans, detect anomalies, and optimize cylinder/route management.
Key2XS acts as the bridge/orchestrator:
Physical endpoints (keys, cylinders, cabinets, gates) enforce access offline/online; syncs validate and rotate permissions.
SOC & OT monitoring receive unified alerts, enabling playbooks that include both door/asset response and logical remediation.
Never trust, always verify: A key alone isn’t enough; context (who, when, where, job ticket) is evaluated before activation.
Continuous evaluation: Access can be paused based on risk signals (e.g., compromised contractor identity, unusual travel, failed PIN attempts on multiple cabinets).
Micro-segmentation of the physical estate: Keys activate only for the precise set of cylinders a work order requires.
Lifecycle evidence: Every grant, change, and revocation is linked to the identity and business justification from IAM.
Incident reporting: Physical events (forced openings, repeated denials) correlate with logical anomalies for faster root cause and structured reporting.
Third-party control: Contractors get time-boxed, scope-limited access with full traceability and easy renewal/termination.
1) Native bridge between IAM and key systems
Key2XS natively integrates with ASSA ABLOY CLIQ and iLOQ (among others) while speaking the language of Entra ID, SailPoint, Okta, OpenText and One Identity. No brittle custom glue.
2) Role-driven keyplans
Turn roles and attributes into automated keyplans. When a technician joins a team or picks up an on-call shift, Key2XS issues the minimum set of grants to both applications and cylinders then retracts them when the shift ends.
3) AI-assisted operations
Auto-generated keyplans from org roles, site topology, and uploaded infrastructure data.
Anomaly detection (e.g., unusual route/sequence across cabinets, repeated after-hours attempts).
Optimization for cylinder maintenance, permission hygiene, and field efficiency.
4) Unified audit & response
Stream standardized events and audit trails into your SIEM/SOAR so playbooks can: disable a user, pull all electronic key rights, alert the field team, and lock down sensitive cabinets in one motion.
5) Built for critical entities
Offline-capable keys, robust audit trails, and privacy-by-design controls suit utilities, transport, water, telecom, healthcare, and government infrastructure.
6) Protected innovation
The Key2XS platform is safeguarded by several patents pending, covering its unique orchestration between IAM systems and electronic key ecosystems ensuring customers benefit from capabilities unavailable anywhere else.
Fewer truck rolls & re-cylindering: Electronic permission changes replace mechanical rekeying after loss or role change.
Faster contractor onboarding: Provision once in IAM, keys + apps follow automatically.
Audit without heroics: Evidence is generated by default, cutting prep time for assessments and investigations.
Reduced downtime risk: Correlated telemetry shortens detection and response for hybrid incidents.
Weeks 0–2: Foundations
Connect IAM and import roles; define critical sites and cylinders; map contractors.
Weeks 3–6: Pilot & JIT
Select a region/asset class; enable JIT keys for maintenance and emergency crews; integrate SIEM.
Weeks 7–10: Scale & automate
Expand to additional vendors/sites; switch on AI keyplan recommendations; align SOC playbooks.
Weeks 11–13: Prove & optimize
Validate KPIs (MTTR, audit readiness, onboarding time, permission hygiene); tune policies and SoD.
Suggested KPIs
Time to provision/revoke (apps + physical).
% of JIT vs. standing permissions.
Audit exceptions and remediation time.
MTTR for hybrid incidents.
Contractor onboarding time.
A grid operator needed to grant weekend access to a contractor for timed substation work. Through Key2XS, the operations lead approved a work-order role in IAM. Key2XS generated the minimal keyplan, activated it for a six-hour window, and streamed all door events to the SIEM. When the ticket closed, both logical and physical rights expired. The SOC retained a unified audit trail for compliance reporting.
Tight, supported integrations with your IAM and key systems no bespoke one-offs.
Policy & SoD alignment between logical and physical domains.
Offline resilience with verifiable audits.
Event normalization for your SIEM/SOAR.
AI that explains itself (transparent recommendations and change logs).
Vendor partnerships and a roadmap for additional lock/key ecosystems.
Patented or patent-pending innovations to ensure long-term differentiation.
Logical and physical access are no longer separate problems. Identities, policies, and evidence must move as one especially for critical entities facing hybrid threats and rising regulatory pressure. Key2XS, protected by several patents pending, is purpose-built for this reality: a reliable bridge that turns IAM intent into precise, auditable control over the physical world without friction for your workforce.
Interested in a deeper dive? We can tailor a short workshop to your estate and show how your existing IAM roles translate into safe, just-in-time physical access with unified audit and response.