Ellie Hurst from the information security consultancy Advent IM considers AI governance and ISO/IEC 42001 in physical security.
I started pondering the uptake of AI in physical security and asked whether physical was leaving logical behind. Physical security has embraced applied AI through cameras, analytics, access control and control room workflows. ISO/IEC 42001 is beginning to appear in this market as a governance and trust signal. Standards are welcome where they support resilience, ethics and responsibility.
For years, physical security was treated as the practical cousin of cyber security. Cameras, doors, alarms, access cards, barriers and control rooms lived in one part of the organisation, while networks, data, systems and information risk lived somewhere else. That separation no longer makes sense.
Physical security systems are now network-connected, data-rich, AI-enabled and often cloud-managed. Cameras are no longer simply recording what happened. They are interpreting behaviour, detecting objects, supporting investigations, flagging anomalies and feeding operational decisions. Access control can involve identity, visitor data, biometrics, analytics and enterprise integration. In plain English, physical security kit is becoming part of the information security estate. That is why ISO/IEC 42001 matters here.
Risk structure
ISO/IEC 42001 gives organisations a structured way to manage AI risks and opportunities, including accountability, responsible use and continual improvement. There are examples of physical security and surveillance-linked firms adopting and promoting ISO/IEC 42001. So, has physical security embraced ISO/IEC 42001 more than the logical security world?
Not conclusively. It would be too strong to say the whole sector has adopted ISO/IEC 42001 faster than cyber or information security. The evidence is still emerging, and public examples are concentrated among AI-heavy surveillance, camera, video analytics and integration businesses.
But the more interesting point is this: physical security has embraced applied AI, including in products being deployed in public spaces, transport, critical infrastructure, high security sites and control rooms. Suppliers have an immediate need to explain how their AI is governed. ISO/IEC 42001 gives them a recognisable language for doing that.
For a buyer, ISO/IEC 42001 suggests a supplier is attempting to put governance around the AI lifecycle. It points to responsibilities, risk assessment, monitoring, control over AI-related change, and structure around how AI systems are developed, provided or used.
But it does not say: this supplier is automatically safe.
That distinction is essential, especially for Government, Defence and critical national infrastructure (CNI). A certificate is not a shortcut around supplier assurance. It does not remove the need to understand where data goes, how models are trained, how outputs are validated, what human oversight exists, how updates are controlled, and whether the supplier introduces strategic, geopolitical, privacy or operational risk.
This is particularly important in the UK. NPSA (National Protective Security Authority) guidance states that no visual surveillance equipment may be deployed onto sensitive sites where it is produced by companies subject to Chinaโs National Intelligence Law. Some AI-enabled vendors sit where technical capability, certification claims and national security risk must be considered separately. We have also seen confusion around data sovereignty: who has legal authority over the data, not just where the server sits.
This is where immature assurance goes wrong. It sees a standard and treats it like a stamp of goodness. Mature assurance sees a standard as one piece of evidence. ISO/IEC 42001 should prompt better questions, not fewer.
A camera in a retail stockroom, a school and a sensitive Government site do not carry the same risk. The AI may be similar. The governance requirement is not.
This is also why the old divide between physical and logical security is becoming actively unhelpful. NPSAโs CAPSS guidance [Cyber Assurance of Physical Security Systems] exists because physical security systems themselves need cyber assurance, and AI will play an increasing role in protective security when applied appropriately and implemented securely.
That is the convergence point.
Physical security has moved quickly because AI gives it obvious operational benefits. It can reduce noise, prioritise events, support investigations and help teams make sense of too much visual and sensor data. Cyber and information security may have been more cautious because AI also creates new attack surfaces, governance questions and failure modes. Neither world can afford to work in isolation now.
For organisations using AI-enabled physical security, what good looks like is not simply buying smarter technology. It is knowing what the technology does, what data it uses, where that data travels, who is accountable for outputs, how errors and bias are challenged, how cyber security is assured, and how supplier claims are evidenced.
ISO/IEC 42001 is useful because it gives organisations a management system route into those questions. It can sit alongside ISO/IEC 9001, ISO/IEC 27001, privacy management, supplier assurance, Secure by Design, operational resilience and incident management. But it should be treated as part of the assurance conversation, not the end of it.
The better explanation is not that physical security has become more responsible than cyber security, or that one side has won the AI governance race. Physical security has made AI visible, and ISO/IEC 42001 is now making AI governance visible too.
For boards, security leaders and procurement teams, that is welcome. But in high-security environments, the question is not simply: does the supplier have ISO/IEC 42001? The better question is: what does that certification actually assure, what does it not assure, and is that enough for the risk we are accepting?
Buyer questions
Certifications are valuable when they sharpen governance, reduce risk and change behaviours for the better. I did not quite answer my original question, but I re-affirmed the bigger point: a blended approach across physical and logical security is the future, and AI is proving that every day.
About Advent IM
The firm specialises inย Governance, Risk, and Compliance (GRC). More from Advent IM on their blog – https://www.advent-im.co.uk/content/blog/. Ellie, a Women in Security winner in 2022 in the contribution to industry category, is commercial director at Advent IM; among her public speaking she was a speaker at The Security Event at the Birmingham NEC in 2025 and 2026.
