4 Key Control Vulnerabilities State and Local Governments Overlook

In a Gallup survey, most Americans said they trust state (59%) and local (67%) governments a great deal or fair amount — more than they trust the federal government. To maintain this trust, it’s important to secure keys to prevent key misuse, which could lead to inefficient use of taxpayer dollars, security breaches, and other costly consequences. If you’re responsible for key control within a state or local government organization, here are some of the top vulnerabilities you may overlook and how to address them:

1. Inadequate User Management

Staffing continues to plague state and local governments. In YouGov’s "The State of Local Government Survey,"  52% of respondents said hiring is their greatest challenge, and 51% said they struggle with understaffing due to limited resources. In that environment, it’s easy to understand why your staff might struggle to stay on top of key management tasks. But if you don’t properly manage users’ access — whether it’s physical keys or digital locks — the risk of security breaches increases.

Risks

Prioritizing Convenience Over Security

An ASIS international survey revealed that 24% of access control failures were caused by over-prioritizing employee convenience. One example is a Texas city’s security audit, which revealed that over half of employees with assigned access cards shared the same access code. In a Washington state county, an audit of high-risk asset controls in the Facilities Management department found that an employee had signed for a key on behalf of another recipient to expedite the process.

24% of access control failures were caused by over-prioritizing employee convenience.

Other examples of prioritizing convenience at the expense of security could include:

• Issuing too many master keys
• Leaving keys inside fleet vehicles
• Sharing access codes across multiple departments

Failing to Regularly Review User Access

It’s important to regularly review who has key access and compare it with their job role and employment status. For example, a Nevada audit found that “keycard accounts were not reviewed [regularly] to ensure the continued need for access to secure areas.” Similarly, the aforementioned Washington audit revealed that an employee kept his keys and access card after changing roles. But that wasn’t the worst of the findings. The audit found 98 former employees and vendors with active access cards, which were deactivated upon review. Of those, 16 cards showed activity after the user’s departure. The report also identified 170 unreturned keys issued to former employees and vendors.

Washington State County Audit Results

The issue of failing to revoke former employees’ access isn’t isolated. In the Texas audit, 70 terminated employees still had active badge cards.

To illustrate the severity of this problem, consider the case of a Connecticut city that was fined over $200,000 after a fired health department employee used her work key to enter her former office and download nearly 500 patients’ protected health information.

A Connecticut city ... was fined over $200,000 after a fired health department employee used her work key to enter her former office.

Solutions

• Implement a key and access control strategy that balances security and convenience to reduce the burden on short-staffed departments.
• Use key management systems that automatically authenticate users to maintain the chain of custody.
• Set up access levels and regularly review them, revoking or updating access based on employment status.
• Collaborate with Human Resources to verify employee separations.
• Secure various kinds of assets (fobs, access cards, and physical keys) in an electronic key management system.
• Deactivate electronic access to key control systems and access cards.

• Create comprehensive offboarding checklists.

2. Manual Tracking Methods

While more organizations are implementing smart technology and artificial intelligence, manual processes are still a top challenge for state and local governments. These inefficient workflows include finance teams using spreadsheets and procurement teams requiring suppliers to mail in paper copies of bids. Using paper key control forms is another common manual process.

Example Paper Key Log 

Risks

Stolen Keys and Assets

Manual processes put keys at risk of theft, misuse, or duplication, as they often involve easily accessible key cabinets, desk drawers, or pegboards. Paper logbooks also make tracking signed-out keys difficult, increasing the chance of undetected theft.

For example, imagine a city government building that stores keys to restricted areas in a lockbox and uses a physical sign-out sheet. One afternoon, the IT server room key was signed out for “maintenance” but never returned. With no assigned name and no immediate follow-up, the missing key — and the unsecure server room — go unnoticed overnight. This scenario demonstrates how manual tracking can leave critical infrastructure vulnerable.

Lost Productivity

Staff struggle to perform their jobs efficiently when tasks are repetitive and cumbersome. These time-consuming tasks also pull employees away from other responsibilities, reducing overall productivity. Consider that manually documenting a key checkout takes as much as five minutes per key (not counting the time required to track down missing keys). In areas with lots of key activity, such as fleets, this time adds up quickly.

Errors or Incomplete Data

Errors, incomplete documentation, or manipulation are common in manual processes. For example, the Washington audit found several shortcomings in its key and access card management processes, including:

• Waived documentation when department staff requested keys or access cards, leaving gaps in the audit trail
• Lack of inventory list for access cards, including blanks
• No security access revisions due to changes in employment status
• Reactive record updates in response to departments returning keys, reporting lost or missing keys, or revoking users' security access
• Missing paperwork for keys issued to vendors
• Names listed differently across systems, making annual inventory challenging
  
  

Time-Consuming Audits

With manual processes, audits are time-consuming and complicated. They often involve coordination with multiple departments, cross-referencing records, and visually accounting for every key or card. This complexity might explain why the Washington state county’s Facilities Management department hadn’t completed its required annual inventory of keys and access cards.

Solutions

• Implement electronic key control systems that prevent unauthorized key access and automatically create detailed, verifiable key activity logs.
• Set up overdue key alerts.
• Use a data integration tool to keep data up to date across your key control system and other databases.
• Run reports on key activity by specific employees, vendors, or types of keys.
  
  

3. Ineffective Processes

Even when local governments recognize the importance of key control, they often implement processes that are ineffective or inconsistent across departments. Without standardized protocols that are well-documented and communicated, your key management becomes vulnerable to security gaps.

Risks

Fragmented Operations

In the Washington audit, the Facilities Management department used software to manage access cards, whereas the locksmith used a spreadsheet to track keys. When a blank access card went missing, the department couldn’t determine whether the card had been assigned, destroyed, or lost. The card eventually turned up, but the incident highlighted a larger problem: Security records were stored in separate systems with no cross-referencing, making it difficult to track assets across departments.

A similar issue came up in a security audit of a major Colorado city, where fragmented operations were made worse by a lack of focus on security and unclear roles and responsibilities.

Lack of Documented Policies

Without clearly documented key management policies, your staff lacks consistent guidelines to follow, creating security vulnerabilities through inconsistent practices. This risk was evident in the Texas city’s audit, since it didn’t have written policies and procedures for managing facility door keys.

Lack of Awareness

Simply documenting policies and procedures isn’t enough if users aren’t aware of them. In the Washington audit, employees and vendors “were unaware of their role, responsibilities and acceptance of potential liability they are acknowledging when signing for their key and/or access card.” This lack of awareness can lead to security gaps and make it harder to hold users accountable.

Solutions

• Develop standardized, interdepartmental key control protocols with clearly defined roles and responsibilities.
• Document key control policies and make sure staff are aware of them.
• Implement a key management system that can store and track keys, fobs, and cards.
• Designate key control system administrators.
• Conduct regular key control training.
• Review policies periodically to ensure they remain relevant and effective.
  
  

4. Limited Data Visibility and Reporting

Without visibility into your key activity, you can't effectively monitor who has access to what areas or assets and when they're using that access. In addition, stolen keys might go undetected for extended periods. In local government, this lack of insight is particularly problematic since coordination between departments is already difficult.

Risks

Incomplete Audit Trail

Without a complete audit trail, you can't effectively track your keys. When keys go missing, there’s often no immediate sign of a security breach. In some cases, stolen keys may go unnoticed for months or even years, putting facilities, vehicles, equipment, and sensitive information at risk. In the Washington audit, for example, limited record-keeping made it impossible to verify when vendor access should have ended, as individual departments managed permissions cancellations without updating centralized security records.

Limited Key Usage Data

Failing to capture key usage data could mean missing unauthorized after-hours access or unusual key checkout patterns. This security risk is especially concerning for fleet vehicles, data centers, and other areas where tracking is essential.

Compromised Incident Response

When security incidents occur, an incomplete audit trail hampers your ability to investigate effectively. Without knowing who accessed what areas and when, you can't determine the scope of a breach or identify responsible parties. This data gap can appear as a lack of transparency to constituents and oversight bodies, potentially damaging public trust.

Solutions

• Adopt electronic key control technology with in-depth reporting capabilities.
• Establish clear protocols for data retention and backup.
• Have automatically generated reports emailed to you on a regular basis.
• Set up real-time alerts for suspicious or unauthorized key activities.

Effective Key Control in State and Local Governments

As the saying goes, “Trust is hard-earned, easily lost, and difficult to re-establish.” Strengthening your key control procedures by effectively managing users, automating key tracking, standardizing processes, and improving reporting will help you reduce security risks and use resources responsibly. In doing so, you’ll reinforce your community’s trust.