If your company does business in a tightly regulated industry and if it regularly handles sensitive data, then a sizable chunk of your organizational bandwidth likely is devoted to governance, risk, and compliance (GRC).
As mission-critical as GRC is for many organizations, however, relatively few excel in these three areas, McKinsey found in its 2025 Global GRC Benchmarking Survey. “For most companies, GRC is a work in progress,” it concludes in the report, which is based on a survey of 200 high-level business decision-makers.
One of the keys to improving GRC? Technology. That’s the conclusion from McKinsey.
That’s also the message from Richard Hills, Vice President at Sign In Solutions, who explains how embracing a more intelligent, data-driven approach to visitor management — an approach he calls Visitor Management 2.0 — can strengthen an organization’s GRC profile and yield a range of business benefits.
A convergence of factors, I think, is driving the heavy focus on GRC. Firstly, the rapid development and deployment of artificial intelligence is transforming the operations of many organizations, introducing new categories of risk that simply did not exist before. Partially in response to this, we see an influx of new standards and regulations on a range of fronts, from data privacy to cybersecurity, resulting in many new issues related to governance, risk, and compliance. And of course, regardless of the business you’re in — government contracting, healthcare, banking & finance, education, manufacturing, life sciences, high-tech — your customers want to be assured your organization is protecting their personal information, that it’s using technologies like AI responsibly, and that it is meeting all its legal and regulatory responsibilities.
There’s a misconception that visitor management is just about gatekeeping — managing the people coming in and out of the front door on any given day. In reality, it’s much more than that. A visitor management system should give you the means to apply and monitor uniform compliance requirements across multiple sites, even in multiple countries, with the ability to tailor compliance to the unique requirements of a specific site. It should provide intelligent, automation-supported analysis and threat detection throughout the entire visitor lifecycle, from first contact with your organization to after they depart. It should protect sensitive organizational, employee, and visitor data. And it should support governance and auditability with clear, transparent, and verifiable data and processes. What I’m talking about, essentially, is the concept of Visitor Management 2.0.
Basic visitor management approaches stop at routine check-ins and transactional verification. Visitor Management 2.0 represents a big leap forward. It enables an organization to manage how people enter and move through its facilities by combining compliance requirements, risk workflows, and intelligent access controls within a single platform. It gives them the means to centralize and apply policies across sites, and to tailor access based on each visitor’s profile and intent. Authentication, real-time verification, data insights, and audit-ready record-keeping are unified within a single environment and not scattered between systems. This eliminates gaps, human error, and blind spots, while also addressing the escalating risk related to hybrid physical-cyber threats. And it serves as an all-important single source of truth for verifying compliance with safety, legal, and industry regulations, and for simplifying and speeding audit preparation. All this is essential to strengthening GRC.
Within visitor management, the applications for generative AI, agentic AI, automation, and other intelligent capabilities are multiplying at a dizzying pace. Firstly, for managing risks, AI can prescreen visitors before they arrive against different compliance watchlists to generate automated alerts if there's a red flag. It can search for relevant risk profiles and notify the right people to seek approval before access to a facility is granted. It can spot unusual behavior patterns, whether that's a change to the sites someone visits, visiting at unusual times, or visiting sites outside of the scope of their work. And finally, AI can help gather, verify, and format data, either in reports, charts, or summaries, for audits and internal monitoring. All this bodes well for GRC-minded organizations.
The term “hybrid” describes a threat that can move from the physical domain to the cyber domain or vice versa. An example would be hackers accessing an internet of things (IoT)-connected HVAC system to disable other systems and compromise the physical security and safety of a facility and those inside it. Or it's a bad actor using social engineering against security guards, or identifying disgruntled employees from LinkedIn posts, in order to gain physical access to a building. The reality is, bad actors are constantly testing for vulnerabilities in both the physical and cyber domains, and they’re skilled at exploiting the weaknesses they find in one domain to launch an attack in the other.
It’s a risk that organizations cannot afford to overlook. Just ask hotel and casino operator MGM, or the Multnomah County, Ore., Health Department. Each of them was recently a victim of hybrid attacks. Also, keep in mind that hybrid threats are evolving faster than ever with AI. Social engineering, blackmail, and phishing can now be executed at scale by AI agents against all your employees, and it is only the weakest link that needs to break for your security to be compromised. And within businesses, agentic AI creates new internal surfaces that have to be defended from cyberattack.
Let’s return to the example of a bad actor using social engineering against your security guard to gain access to a facility. In older, unintegrated visitor management systems, the sign-in process might be pen and paper and only enforced by an individual security guard, who could wave someone through. A security team might need to rely on the honesty of the staff on the ground. Completely integrated visitor management systems require that the visitor identify themselves with ID, that the visit be approved by multiple people external to the site, and that the doors to the facility be physically unlocked only when these checks have passed. This means you no longer rely on individual weak links in the chain to maintain security.
While security and compliance are always top priority, they don’t have to come at the expense of the visitor experience. Quite the opposite, in fact. A Visitor Management 2.0 approach offers the best of both worlds: elevated security and compliance for the organization and a streamlined, concierge-type experience for the visitor. Touchless mobile check-in, advanced ID verification, and streamlined entry tailored to visitor type help speed access while ensuring only compliant visitors gain entry — without friction. The system can also deliver personalized services and high-end touches like the ability to book a parking space, room, or desk in advance, so the visitor feels expected, respected, and welcome. This builds trust in the company, reinforces a progressive brand image, and strengthens relationships, business opportunities, and talent attraction. The reality is that cumbersome, bureaucratic security is most likely to be circumvented by the people involved, and is therefore actually weak. The choice between effective security and superior visitor experience is a false dichotomy.
As a starting point, if your organization uses multiple siloed systems for visitor management and compliance, I’d recommend shifting to an integrated environment where those systems operate together seamlessly. Look for a system with capabilities that address your company’s specific GRC priorities and weaknesses. Also, look for one that satisfies the unique requirements of your industry related to data privacy, cybersecurity, and the like. And, be sure the system comes from a vendor who understands the nuances of your business and your industry, and who takes security and compliance seriously. Ultimately, both the system and the vendor can be important assets in the effort to strengthen your GRC posture.
Richard Hills is the Vice President of Advanced Technologies at Sign In Solutions, and heads innovation projects and AI across the business, particularly in how AI can be applied to real problems in visitor management.
Sign In Solutions is the global standard for visitor management. With more than 22,000 customers across 100 countries — including Fortune 500 companies in technology, healthcare, manufacturing, and communications — the unified platform delivers rigorous security and a welcoming experience side by side.
Visit www.signinsolutions.com to learn more.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.