Written by Catherine Carducci | Product Marketing Manager, Aliro | Safetrust
There’s a wall running through most large enterprises, and almost nobody talks about it directly. On one side: physical security, managing badge readers, door controllers, and credential programs. On the other hand: identity and IAM, PKI management, Zero Trust frameworks, and enterprise authentication. Both teams are trying to solve the same fundamental problem: verifying that the right person is who they say they are. But for decades, they’ve been doing it with completely different tools, different standards, and different assumptions about what “trust” means. The result? Teams that should be working together to keep people and places secure are still operating in silos. Until now.
That wall is coming down. And the decisions your organization makes in the next 12 to 24 months will determine whether you’re positioned ahead of that shift or scrambling to catch up.
The divergence that created the problem
Enterprise IT identity moved to open, cryptographic standards years ago. PKI, PIV, SSO, and FIDO gave organizations a scalable, interoperable identity across applications, devices, and organizational boundaries. Trust lives in certificates, not in proprietary hardware. Credentials can be issued, renewed, and revoked through centralized lifecycle management. Any vendor whose solution conforms to the standard can participate.
Physical access control went in a different direction. For four decades, the dominant model has been closed ecosystems: proprietary cards, proprietary readers, proprietary encoding, and back-end systems tightly coupled to a single vendor’s stack. If you deployed HID iCLASS®, SEOS, Prox, or MIFARE® DESFire®, you were entering a relationship with a specific vendor’s cryptographic or encoding model and building a dependency that could take years to exit.
That model worked until it didn’t. Enterprises now expect physical access to integrate with multiple vendors and internal teams, align with enterprise IAM and cybersecurity policies, support mobile-first user experiences, and withstand an infosec review. Legacy proprietary PACS architectures weren’t designed to do any of those things, and adapting them is increasingly expensive — in dollars, in operational complexity, and in risk.
What Aliro actually is
Aliro is an open standard for access credentials and reader communication, developed through the Connectivity Standards Alliance (CSA) with participation from more than 400 organizations, including Apple, Google, Samsung, and Safetrust. It defines credential provisioning, authentication, and device-reader communication at the protocol layer rather than the hardware layer. This protocol layer enables Safetrust’s identity-driven access platform to deliver secure, seamless orchestration across people, places, and systems.
That distinction matters. Because Aliro operates at the protocol level, it is chip-independent. It works across physical smart cards and mobile devices. It supports NFC, Bluetooth Low Energy (BLE), and Ultra-Wideband (UWB) as communication technologies. It can live in Apple Wallet, Google Wallet, Samsung Wallet, and Safetrust Wallet, on a card or in a purpose-built enterprise app. The security model is based on public-key cryptography, the same cryptographic foundation your IT team already uses between web browsers and web servers.
The result: a physical access credential that behaves like an enterprise IT credential. Identity is determined by your organization’s certificate authority, not by which vendor manufactured the badge’s card.
Why this matters to both of your teams
If you’re on the physical security side, Aliro means you can stop accepting the premise that credential vendor lock-in is inevitable. Your infrastructure can support credentials issued by multiple providers, across multiple device form factors, and recognized by readers from multiple manufacturers.
At ISC West in March 2026, Safetrust made history by demonstrating the first Aliro Enterprise physical credential operating in tandem with Aliro mobile credentials, a single, unified platform that uses an organization’s own digital certificates to provision and manage access across multiple vendors and partner ecosystems. As Jason Hart said at the announcement: “Aliro represents the turning point the industry has been missing: an industry-led standard (not a top-down mandate) that combines enterprise-grade, certificate-based security and privacy with the scale of consumer ecosystems. The result is true interoperability, a non-proprietary supply chain, and materially lower-cost identity across multi-vendor environments.”
That wasn’t a proof of concept; it was the first production-ready signal that unified card-and-mobile Aliro is deployable today. The broader ecosystem moved fast in the weeks that followed: Kastle became the first managed services provider to deploy Aliro 1.0 credentials across Apple Wallet, Google Wallet, and Samsung Wallet at enterprise scale. M.C. Dean launched InfraLink Pass, an Aliro-native mobile-first credential solution, at the same show. Last Lock shipped the first Aliro-certified commercial lock. The ecosystem is real, it’s shipping, and it’s expanding fast.
If you’re on the identity and IAM side, Aliro means physical access can finally be brought into your enterprise security architecture. Certificate-based identity. Mutual authentication between the credential and the reader (more on this in Part 2). Credential revocation that responds as fast as your PKI can act. Integration with the same identity lifecycle governance you already apply to logical access. The wall between your world and the world of physical security now has a door.
The question isn’t whether — it’s when
One of the more honest conversations happening in the industry right now is about timing. The long-term case for Aliro is clear. The near-term question is what the right pace of adoption looks like for your organization. The good news: adoption doesn’t require ripping out existing infrastructure. Dual-technology readers can support both legacy credentials and Aliro simultaneously. Hybrid card form factors can carry Aliro alongside MIFARE® DESFire® or HID® iCLASS®.
What isn’t optional is deciding where you stand. The credentials you’re buying today and the architecture decisions you’re making about readers, panels, and backend systems will either give you a path forward or lock you in deeper. This is exactly the moment to get informed.
Safetrust helps enterprises operationalize Aliro today with certificate management, mobile credential orchestration, and migration strategies that protect your existing investments.
Two places to go deeper this month
At Aliro Decoded on June 10 (11:00 AM PT / 2:00 PM ET), Jason Hart and Will Holderness cover how Aliro’s certificate-based protocol delivers multi-vendor interoperability, unified mobile + physical identity, and cross-org federation without shared secrets, plus practical migration strategies, Zero Trust and PKI alignment, and why the next 12–24 months are the critical decision window.
[Register for Aliro Decoded →]
On Tuesday, June 17 at 3:45 PM, Jason Hart will be speaking at Unify on “Commercial Aliro: Why Now, What It Unlocks, and What Has to Be Done” — alongside Allegion, dormakaba Americas, Last Lock, and The Access Control Collective. This is a practitioner-level conversation about the commercial sector’s hardest credentialing challenges: multi-badge, multi-vendor, multi-tenant environments, and the growing collision between digital and physical identity. As a member of the Connectivity Standards Alliance, Safetrust is one of the voices helping frame where the standard goes next.
Safetrust is a proud member of the Connectivity Standards Alliance.
Catherine Carducci is Product Marketing Manager for Aliro at Safetrust. Safetrust is a founding member of the Connectivity Standards Alliance Aliro Technical Steering Group and an active contributor to the development of the Aliro standard.
