Security & compliance

Ensuring the physical safety and security of people, property and assets has long been a core responsibility of facilities and real estate teams. What’s changed is how that function is carried out.

Today, facility managers increasingly rely on technology – such as networked cameras, badge readers and Internet-of-Things (IoT) sensors – to augment traditional security practices. Artificial intelligence (AI) is accelerating this evolution. According to the 2026 AI & Digitalization in Facilities Management Report, building security, access control and safety monitoring is a leading AI use case – 50% of business leaders and 53% of facility managers already using AI for that purpose.

The growing reliance on connected technology introduces a new challenge: Every networked device deployed to improve physical safety and security becomes a potential access point for cyber threats. While organizations are eager to expand AI-enabled automation, our survey found that 22% of business leaders and 17% of FMs cite data privacy and security concerns as the biggest barrier to expanding the use of AI for facility operations.

This tension is blurring the lines between information technology (IT) and operational technology (OT). FMs are being asked to take on the added responsibilities of protecting connected building systems, maintaining operational resilience and demonstrating compliance. However, with proper technology, they don’t have to handle this burden alone. Here's a look at how OpenBlue – award-winning, AI-optimized building software from Johnson Controls – supports facilities and real estate teams as they navigate this new, high-stakes landscape.

1) Start with a foundation of network segmentation and zero-trust principles

As building systems connect to analytics platforms and cloud applications, the network becomes part of the facility’s operational backbone. If that backbone isn’t segmented and secured, risk multiplies quickly – especially in mission-critical environments that can’t tolerate disruption.

OpenBlue features architectures aligned with zero-trust networking principles, including segmentation, that limits communication pathways and reduces lateral movement in the event of an intrusion. Technologies such as OpenBlue Airwall help “cloak” devices and systems, allowing only authenticated users and approved applications to communicate with protected assets. This approach reduces exposure without relying solely on perimeter defenses.

In one real-world example, the OpenBlue Airwall overlay network allowed the facilities automation team at Penn State University to:

• Isolate and cloak all systems within their building automation system infrastructure,
• Eliminate the need for public IP addresses and
• Segment network access control for employees, contractors and vendors.

The end result was a reduction of almost 90% in their total attack surface.

For organizations modernizing connected environments, this type of defense-in-depth, security-by-design approach is increasingly essential to reduce cyber risk and meet evolving expectations around OT security and resilience.

2) Build cyber resilience at the edge

OpenBlue Airwall is an essential component in our approach to edge connectivity and security. OpenBlue Bridge (OBB) – which integrates devices, cloud Security as a Service (SaaS) offerings, legacy on-premise platforms and web applications – embeds built-in edge intelligence and computing directly into a broad range of small-footprint edge devices. By hosting the processing, analytics and applications as close as possible to the physical sensor infrastructure, OBB minimizes latency, improves performance and response times. It also enables more effective maintenance and operational strategies.

OBB installations incorporate OpenBlue Airwall as a secure, identity-based gatekeeper between edge devices and the cloud. Zero-trust principles are used to help protect connected building systems.

This is important for organizations trying to reduce the impact of an incident by segmenting communications and limiting lateral movement – an increasingly common expectation in OT security programs. It’s also critical for compliance since organizations are often evaluated based on whether their connected environments are architected to reduce risk by design.

3) Protect connected security assets across their full lifecycle

Cameras, access control systems and other security devices are digital assets that must be monitored, maintained and protected over time. OpenBlue Services help organizations manage the health, performance and compliance of their physical security infrastructure. These security lifecycle management services provide visibility into device status, software versions and system health. They also help teams identify vulnerabilities, manage updates and reduce the likelihood of failures or blind spots.

This approach is particularly important for organizations operating at scale, where hundreds or thousands of security devices may be deployed across multiple buildings or sites. By reducing manual oversight and centralizing visibility, facilities teams can maintain stronger security postures without adding operational complexity.

4) Secure the data layer that powers analytics and AI

Facilities teams rely more heavily on analytics and AI to improve safety, security, access control and compliance. As such, protecting the underlying data becomes just as critical as protecting physical devices.

The OpenBlue Data Platform, which consolidates both IT and OT data from across the building’s ecosystem, is designed with security and governance built in. The data platform supports encrypted data transmission, AES-256 data-at-rest protection and a zero-trust cloud architecture. This helps ensure that sensitive operational and security data remains protected throughout its lifecycle. Web application firewalls (WAFs) further defend against sophisticated attacks, while access controls help ensure that users only see the data they are authorized to view.

Without trusted data and clear governance, even the most advanced analytics tools can introduce new risks instead of mitigating them. This secure data foundation is essential for organizations looking to scale AI responsibly.

5) Enable compliance through visibility, documentation and control

Regulatory and compliance requirements are expanding alongside digital transformation. Facilities teams are increasingly expected to prove that systems are secure and controls are being monitored and documented.

OpenBlue supports this need by providing centralized visibility into connected systems, security assets and operational data. Dashboards and reporting capabilities make it easier to document system performance, track changes and respond to audits or regulatory inquiries with confidence.

Rather than treating compliance as a one-time exercise, this approach allows organizations to maintain continuous awareness and readiness. Risk is reduced and teams are free to focus on higher-value work.

Removing an obstacle to safer, more secure, AI-empowered facilities and systems

As the findings of the 2026 AI & Digitalization in Facilities Management Report show, organizations are keen to adopt technology solutions to make their facilities safer and more secure. However, cybersecurity, data privacy and compliance remain lingering concerns.

As AI adoption accelerates, facilities and real estate teams are stepping into a more strategic role. This helps ensure that connected environments are high performing, trustworthy and resilient. OpenBlue supports that transition by providing:

• Secure-by-design network and edge architecture
• Managed connectivity and a secure data foundation that can support AI applications
• Lifecycle oversight for distributed security assets across vendors
• Reporting and compliance capabilities that demonstrate consistent control and oversight

By combining zero-trust networking principles, lifecycle management for security assets and a secure data platform, OpenBlue helps organizations future-proof their facilities. Disruption can be avoided, regulatory change can be managed and evolving cyber threats can be prevented without sacrificing the operational and business benefits of digitalization.

Frequently asked questions

1. What is the difference between security and compliance in enterprise technology environments?

Security refers to the technical, administrative and physical controls used to protect systems, data and users from unauthorized access. Compliance refers to aligning those security controls with required laws, regulations, standards and frameworks such as ISO 27001, SOC 2, GDPR or industry‑specific requirements. In practice, strong security enables compliance, but compliance alone does not guarantee strong security.

2. Why are security and compliance important for organizations working with cloud and digital systems?

Security and compliance are critical because cloud and digital systems often store sensitive data, support essential operations and connect multiple partners and platforms. Effective security reduces the risk of cyber threats, data loss and downtime. Compliance helps organizations meet regulatory obligations, maintain customer trust and avoid legal or financial penalties. Together, they support operational resilience and business continuity.

3. How can organizations strengthen their security and compliance posture over time?

Organizations can improve security and compliance by adopting a continuous approach that includes regular risk assessments, policy reviews, employee training, system monitoring and third‑party oversight. Aligning security programs with recognized frameworks and integrating compliance considerations into daily operations helps ensure protections evolve alongside new threats, technologies and regulatory changes.