Energy resilience is no longer only about generation capacity, grid investment, cybersecurity or emergency planning. It is about control.
In its Energy Industry Insights 2026 special report, DNV describes a sector facing a broader and more frequent threat landscape: war, cyber threats, terrorism, trade disruption, climate change, supply bottlenecks, ageing assets, sabotage, drones and pressure on undersea infrastructure. The conclusion is clear: being concerned is not the same as being prepared.
Preparedness means knowing which assets, systems and people are at risk. It means knowing who is responsible, how disruption could occur, how assets can be protected, how fast recovery is possible and which decisions must already be taken before a crisis hits.
That is where many energy organizations still have a blind spot.
They have invested heavily in IT security. They are modernizing OT environments. They are building cyber response capabilities. But physical access to critical field infrastructure often still sits outside the same governance model. Keys, cylinders, substations, transformer houses, cabinets, technical rooms, control locations and contractor access are too often managed in fragmented systems, local procedures, spreadsheets or vendor-specific platforms.
That is no longer good enough.
DNV describes energy infrastructure as an increasingly interdependent system. Power grids, substations, pipelines, ports, LNG terminals, refineries, control rooms and digital systems are not isolated objects. They form one operating environment. A local incident can trigger regional impact. A physical attack can create a cyber incident. A cyber incident can disable a physical asset. This is the commercial and operational reality for critical infrastructure operators.
A transformer house is not just a small building. A substation is not just a fenced site. A cabinet is not just an operational object. These are access points into the energy system. If an unauthorized person can enter, manipulate, observe, disrupt or prepare sabotage, resilience has already failed.
Cybersecurity cannot compensate for unmanaged physical access.
Modern energy organizations already understand identity governance for IT. Employees, contractors and suppliers should only receive the access rights they need. Access must be approved, time-bound, auditable and revoked when no longer required.
The same logic must apply to physical infrastructure:
Who can access which asset?
Why do they have access?
Who approved it?
For how long is access valid?
Is access linked to role, project, location, work order or emergency status?
Can rights be revoked immediately?
Is there an audit trail?
Can the organization prove compliance after an incident?
If the answer is no, there is no real control.
This becomes especially critical in the energy sector because many assets are remote, unmanned, distributed and operated through complex ecosystems of employees, contractors, subcontractors, maintenance partners and emergency response teams.
A traditional key register cannot handle that complexity. Neither can a standalone electronic locking system without integration into IAM and IGA.
DNV is right to warn that digitalization, automation and AI can improve reliability and decision-making, but also create additional vulnerabilities. More connected systems mean more dependencies, more failure paths and more need for lifecycle governance. The answer is not to connect everything blindly. The answer is controlled integration.
Physical access systems must be connected to identity governance in a secure and purposeful way. Access decisions should be driven by authoritative identity sources, role models, approval flows and policy logic. Electronic keys and cylinders should execute those decisions, not become separate governance islands.
That is the gap Key2XS addresses.
Key2XS connects electronic key systems with IAM and IGA platforms such as SailPoint, Microsoft Entra ID, Okta, One Identity and others. It brings physical access into the same governance model as digital access. The result is a controlled workflow for provisioning, approval, activation, revocation, audit and compliance.
The energy sector is rapidly adopting AI in operations. But AI should not only be used for optimization. It should also be used to reduce access risk.
AI-assisted key planning can help organizations define smarter physical access models based on roles, locations, assets, work patterns, risk profiles and operational requirements. Predictive access control can identify unusual access patterns, risky combinations of rights, excessive privileges and outdated access models.
For critical infrastructure, this is not a nice-to-have. It is a resilience requirement. A crisis does not wait for manual reconciliation between IAM, contractor lists and key registers. During disruption, organizations need to know who can access what, who should be able to access what and which access must be removed immediately.
That requires automation, governance and auditability.
NIS2 and CER are forcing critical organizations to think beyond classical IT security. They require a broader view of resilience, business continuity, supplier risk, incident response and protection of essential services. Physical access governance fits directly into that agenda.
A critical entity cannot claim mature resilience if it cannot prove who has physical access to critical assets. It cannot demonstrate proper supplier governance if contractor access is unmanaged. It cannot credibly report on incident readiness if emergency access is improvised. It cannot treat cyber and physical risk as separate worlds when attackers do not.
The boardroom question is simple:
Can we prove who can physically access our critical energy assets today?
If the answer is no, the organization has a resilience gap.
Not a facilities gap, not a key management gap but a governance gap.
Energy resilience fails when physical access is unmanaged. Key2XS closes that gap by bringing physical access under identity governance, policy enforcement and audit-ready control. For critical infrastructure operators, that is the new baseline.