An observed identity enters a facility without recording corresponding exits. This anomaly may suggest tailgating, improper badge use, or manipulation of physical access systems, weakening accountability and complicating incident investigations.

An observed identity records exit events without prior corresponding entries. This may indicate badge misuse, shared credentials, or physical security bypass, eroding the reliability of facility occupancy records.

An observed identity permits another person to enter a secure area without individual authorization. This behavior, often known as tailgating or piggybacking, increases the risk of unmonitored access and potential insider threats.

An observed identity leaves a secure door open longer than standard thresholds allow. Extended open states can enable unauthorized entry, reduce the effectiveness of access controls, and compromise sensitive areas.

An observed identity attempts to enter restricted areas where they lack clearance. Multiple denied access attempts may indicate insider reconnaissance, policy violations, or a compromised badge.

An observed identity generates an unusual volume of denied badge attempts compared to peers or baseline patterns. Elevated denial rates can indicate credential misuse, privilege escalation attempts, or insider threat activity.

An observed identity enters facilities at a frequency significantly above normal baselines. Excessive access may point to reconnaissance, data theft preparation, or circumvention of established duty patterns.

An observed identity accesses facilities at unusual hours, such as late nights or holidays. Off-hours access may suggest malicious intent, compromised credentials, or attempts to avoid detection.

An observed identity appears in secure areas without matching badge activity, detected through surveillance or analytics. This discrepancy may signal badge cloning, credential sharing, or physical bypass of access controls.

An observed identity enters facilities despite being on documented leave. This misalignment with HR records can indicate credential misuse, insider risk, or a failure in badge deactivation processes.

An observed identity gains facility access after termination or offboarding. This indicates serious deprovisioning failures, potential insider threats, or unauthorized continued access.

An observed identity records badge activity in multiple facilities or zones at the same time. This physical impossibility may suggest cloned credentials, badge sharing, or manipulation of access logs.

An observed identity repeatedly enters sensitive zones but departs after very short intervals. Such patterns can indicate reconnaissance, insider scouting, or attempts to avoid detection while gathering information.

An observed identity spends abnormally long periods in sensitive areas compared to typical usage patterns. Extended dwell time may suggest unauthorized activities, staging of insider operations, or preparation for data theft.

An observed identity shows simultaneous presence onsite and remote logins. This anomaly may reveal credential compromise, session hijacking, or inaccurate identity tracking across systems.

An observed identity is present onsite without visibly displaying their badge. This undermines visual security protocols, complicates identity verification, and increases the risk of unauthorized individuals blending in.

An observed identity sponsors visitors at a frequency exceeding typical baselines. Unusual sponsorship volume may indicate lax adherence to visitor vetting, facilitation of unauthorized access, or potential collusion.

An observed identity attempts to authorize visitors who are barred from access. This activity signals potential negligence, insider collusion, or efforts to bypass visitor controls.

An observed identity does not follow required actions during emergency or security drills. Poor compliance undermines readiness, increases vulnerability during real incidents, and signals weak security culture.

An observed identity leaves sensitive information unsecured during a clean desk audit. Exposure of confidential data in shared or open spaces increases risks of data leakage, insider misuse, or compliance violations.