AI-Powered Idenity & Access Services | Athena AI | Athena AI | Athena AI
Sections
Identity & Access
Know who enters. Know when. Know where. On your hardware.
Camera-based identity and access turns your existing camera infrastructure into an access control layer — one that knows the difference between an authorised staff member and a tailgater, can flag a visitor who was cleared for one zone entering another, and produces a visual audit trail that a card-swipe log never could.
Athena AI builds these systems to run on your hardware. Enrolment templates stored on your infrastructure. No biometric data transiting third-party servers. No per-door SaaS licensing that compounds as your facility grows. And a compliance architecture designed from the ground up for the jurisdictions you operate in.
[Book a Discovery Call →] [See How It Works]
What camera-based access gives you that credentials alone cannot
Keycard / PIN only
Keycard + Camera
Camera-primary (Athena AI)
Tailgating prevention
None
Partial — alert after the fact
Real-time — second person detected before door closes
Lost / cloned credential
What camera-based identity and access actually does
A badge reader knows a card was presented. It does not know who presented it. A lost card grants access until someone notices and reports it. A cloned card grants access indefinitely. A badge handed to a colleague for convenience — tailgating at the door, or sharing for a shift — is invisible to a credential-only system.
Camera-based identity closes that gap. The camera sees the person, not just the credential. It knows whether the face presenting the badge matches the enrolled profile. It detects a second person following through a door before it closes. It maintains an audit trail that answers not just 'was card 4471 used at door 3 at 08:14' but 'who was that, what did they look like, and where did they go next.'
That capability — connecting a physical presence to an identity, in real time, on your hardware, with a visual record — is what this system provides.
The three things camera-based access does that credentials cannot
1. Confirms identity, not just possession
A keycard confirms someone has the card. A camera confirms the person holding the card is the person enrolled against that card number. These are different facts. In a controlled environment — a data centre, a clinical ward, a server room — the difference is material.
2. Detects what credentials are blind to
Tailgating — a second person following an authorised entry through a door before it closes — is invisible to a card reader. Camera-based access detects it in real time. The same applies to a person entering a zone they're authorised to access but then moving into an adjacent zone they're not — something a door-mounted reader never sees once the door is open.
3. Produces evidence, not just logs
A card-swipe log tells you a credential was used. A camera-based access system tells you who used it, what they looked like, and where they went. For compliance purposes — a data centre audit, a clinical incident review, a regulatory inspection — that difference is significant.
The identity methods and when each is appropriate
'Camera-based access' is not one thing. Several different underlying approaches produce different capabilities, different accuracy levels, and critically — different legal and compliance profiles. Understanding which method is being used matters for your legal team as much as your security team.
Camera-based identity and access is a hardware-software co-design problem with a compliance layer that is as load-bearing as the ML stack. The choice of identity method, the model architecture, the enrolment database design, the threshold configuration, and the data residency architecture are all decisions that interact — and all of them have legal as well as technical consequences.
This section covers the full stack: hardware topology, the inference pipeline per identity method, the enrolment and gallery architecture, performance targets, deployment topologies, and the hard problems we plan for.
Hardware topology
Component
Hardware
Role
When used
Entry-point edge node
Jetson Orin NX / AGX
Face/appearance inference at door. Sub-300ms decision. Local enrolment cache.
Always — every controlled entry point
Central identity server
On-prem GPU server (T4 / A10)
Deploying a camera-based access system is day one. Maintaining it accurately, keeping the enrolment database current, managing retention obligations, handling subject access requests, and keeping models performing as your population and environment change — that is the operational reality. This section covers how Athena AI-built identity and access systems live in production.
Enrolment management
Initial enrolment
Bulk enrolment tools accept identity records from HR systems (name, role, zone permissions, email) and prompt each individual through a self-service or operator-assisted capture flow. Image quality is enforced at capture — minimum resolution, frontal angle, eye openness, no occlusion. Low-quality submissions are rejected with specific feedback. Consent records are captured and timestamped at enrolment for face recognition deployments.
Ongoing maintenance
Enrolment records expire at a configurable interval (typically 12–24 months for workplace deployments). Expiry triggers a re-enrolment prompt — not automatic access revocation, but an alert to the identity owner and their manager. Repeated false rejects against an enrolled identity trigger a re-enrolment prompt automatically. Leavers are removed via HR system integration or manual revocation — removal is immediate and propagates to edge node caches within a configurable window.
Visitor management
Temporary enrolments with defined access windows and automatic expiry. Visitor enrolment captured at reception — a single frontal capture, associated with the visit record, expires at end-of-day or end-of-visit. No consent gap: visitors are informed and consent obtained as part of reception check-in. Visitor templates are deleted automatically at expiry.
Compliance operations
Jurisdiction / Framework
Face recognition legal basis
Key requirements
Our approach
Full access until revoked
Partial mitigation
Invalidated — face/appearance doesn't match enrolled profile
Audit trail
Card swipe log only
Card + camera timestamp
Full visual audit — who, where, when, with image record
Touchless operation
No (PIN) / partial (card)
No
Yes — walk-up recognition, no credential required
Multi-site identity
Requires shared card system
Requires VMS integration
Unified identity database across all sites
Compliance evidence
Log only
Log + camera clip
Structured per-event record with confidence score and image
Where this deploys
Corporate campuses and office buildings. Touchless lobby entry, tailgating prevention, multi-zone access control, visitor management. Replaces or augments badge readers without replacing the badge infrastructure.
Data centres and server rooms. Strict zone access with visual audit trail. Multi-factor: face confirmation against badge swipe. Every entry timestamped with an image record.
Healthcare facilities. Staff zone access, restricted ward entry, contractor management. Air-gapped deployment — no biometric data leaves the clinical network. HIPAA and PHIPA compliant by architecture.
Government and regulated facilities. Controlled perimeter access, identity audit trail, intruder detection. Full air-gapped operation where required. Signed model updates only.
Manufacturing and industrial sites. Shift-based access, restricted zone enforcement, contractor and visitor management. Integration with existing gate infrastructure scoped per engagement.
Logistics and warehousing. Dock door access, vehicle and driver identity via licence plate recognition, contractor access management.
Retail and commercial property. Staff-only zone access, loss prevention re-identification, VIP recognition. Non-biometric appearance re-ID where consent cannot be obtained.
Why Athena AI
Private deployment by default
Enrolment templates, facial embeddings, and access logs stay on your infrastructure. No biometric data transits our servers or any third-party cloud. This is not a configuration option — it is the architecture.
Compliance-first, not compliance-bolted-on
Face recognition is regulated. We don't treat compliance as an afterthought added before go-live. Legal basis review, consent workflow design, data minimisation architecture, and retention policy are scoped during discovery — before a line of code is written.
Non-biometric alternatives where required
Where face recognition is legally constrained or operationally inappropriate, we deploy appearance-based re-ID (gait, silhouette, clothing — no biometric template), badge vision augmentation (confirming the credential holder matches the credential), or licence plate recognition for vehicle access. These deliver meaningful access intelligence without triggering biometric data processing obligations.
Edge-native, hardware you own
Entry-point Jetson nodes make access decisions locally in under 300ms — no server round-trip required for routine access. The central identity server handles cross-door re-ID, audit trail, and analytics. Your operation does not depend on a network connection to grant or deny entry.
Reference work
Project
What We Built
Result
AnglerVision
Cross-camera person re-identification pipeline. Multi-door appearance tracking without face recognition. Audit trail per identity across camera zones.
90% re-ID accuracy across non-overlapping camera zones. 47% reduction in false-positive security alerts.
[Healthcare facility — NDA]
Staff zone access via face recognition on Jetson Orin AGX. Air-gapped deployment. PHIPA-compliant enrolment and retention workflow.
< 280ms access decision. Zero cloud egress of biometric data. Audit trail ingested to on-prem SIEM.
Ready to see what this looks like at your entry points?
A discovery call is a one-hour technical conversation against your actual site — camera positions, door count, existing ACS infrastructure, and the legal basis applicable to your jurisdiction. We don't pitch. We scope. By the end you know whether camera-based identity is the right architecture for your operation, which identity method is appropriate, and what compliance work is required before deployment.
[Book a Discovery Call →]
Want more detail? Continue to [How It Works →] for a non-technical walkthrough, or jump to [Architecture →] for the engineering breakdown.
Augmenting existing ACS — liveness + credential match
Licence plate recognition
96–99%
No — plate number
Yes — vehicle approaches
Vehicle access, car parks, delivery bays
Multi-modal fusion (face + badge)
99%+ combined
Yes — face template
Yes
Highest-security entry, regulated facilities
The five stages of a camera-based access event
Here is what happens, in order, from the moment a person approaches a controlled entry point:
Detect. The camera sees a person approaching the entry point. A detection model identifies that a person is present and locates their face (or their full silhouette, for non-biometric modes). This happens continuously — not triggered by a button press or card tap.
Identify. The system extracts a representation of the person — a facial embedding for face recognition, an appearance embedding for re-ID — and compares it against the enrolment database. This comparison happens locally on the edge node, against a cached subset of the gallery, in under 200ms.
Resolve. The system determines whether the comparison produces a confident match above the configured threshold, a non-match, or a low-confidence result requiring a second factor (badge tap, PIN, or human review). Threshold is configured per door, per security level.
Decide. Based on the resolution result and the access policy for that door and that identity, the system emits an access grant or deny signal. For face recognition + badge fusion, both confirmations must pass. For tailgating, the system detects a second person in the frame during an open-door event and fires a separate alert.
Log and alert. Every access event — grant, deny, tailgate, low-confidence escalation — is logged with a timestamp, a confidence score, and an image record to the central identity server. Alerts route to your configured channels (dashboard, SIEM, email, SMS, or existing ACS event bus).
What makes this hard in practice
Lighting is the most common failure mode
Face recognition accuracy in controlled, well-lit entry corridors can exceed 99%. The same system in a poorly lit car park entrance, or a lobby with strong backlight from exterior glass, can drop significantly. We benchmark accuracy in your actual lighting conditions — not in a controlled lab — before production commitment.
The enrolment process determines the ceiling
A face recognition system is only as good as the enrolment data it was built on. Poor-quality enrolment images, out-of-date photos, or missing individuals produce false rejects that erode user trust quickly. We design the enrolment workflow — capture quality standards, update cadence, removal process — as part of the deployment scope.
Tailgating detection requires calibrated geometry
Detecting two people in a single-person entry corridor requires knowing the geometry of the corridor and calibrating the detection model to that specific physical space. A model calibrated for a 1.2m-wide turnstile behaves differently at a 3m-wide lobby door. We calibrate per-entry-point during commissioning.
Legal basis is a precondition, not an afterthought
Deploying face recognition without confirmed legal basis exposes the organisation — not the technology vendor — to regulatory risk. We will not begin deployment scoping until the legal basis question is answered for the specific jurisdiction. This is not a liability disclaimer. It is an operational reality that the legal team needs to be involved before the security team orders hardware.
Discovery: site survey, camera position review, door count, existing ACS infrastructure, legal basis confirmation for each jurisdiction. One hour call followed by a site assessment.
Architecture scoping: hardware specification per entry point, identity method selection per zone, enrolment workflow design, integration surface definition.
Enrolment and commissioning: system deployed, enrolment database populated, per-entry-point calibration, acceptance testing against your population and your lighting conditions.
Integration: access decision signals connected to your door hardware, ACS event bus, or alerting channels. Audit trail connected to your SIEM or logging infrastructure.
Production and operations: fleet monitoring, enrolment maintenance, model updates, drift detection. Ongoing retainer scoped to your door count and SLA.
For the engineering detail, continue to [Architecture →]. For compliance, data governance, and operations, see [Operations →].
Global enrolment database. Cross-door re-ID. Audit trail. Analytics.
Any deployment with 3+ doors or multi-zone tracking
The pipeline differs by identity method. Each method has a different model stack, a different compute cost, a different accuracy profile, and a different legal classification. These are not interchangeable configurations — the method choice is made during discovery and scoped explicitly.
Layer
Default stack
When we substitute
Edge-specific constraint
Face detection
RetinaFace (TensorRT FP16)
MTCNN for multi-face dense scenes; scrfd-10g for power-constrained Nano
Runs on Jetson Orin NX at 30fps per stream. GPU-allocated; does not share with tracker.
Face recognition
ArcFace (ResNet-50 or MobileNet backbone)
AdaFace for low-light / motion blur environments; FaceNet for legacy enrolment database compatibility
MobileNet backbone on Orin NX for <100ms per recognition. ResNet-50 on AGX where accuracy headroom matters.
Gait / appearance re-ID
OSNet (non-biometric re-ID)
TransReID for cross-camera cross-angle scenarios; CLIP for open-vocabulary scenes
Frame-rate subsampled to every 3rd frame on Orin NX. Full-rate on AGX.
Liveness detection
Passive liveness (depth + texture analysis)
Active liveness (challenge-response) for highest-security enrolment flows
Runs on-device. Passive liveness adds <20ms per decision.
Licence plate recognition
OpenALPR / custom YOLOv11 + OCR
Domain-specific fine-tune for non-standard plate formats (international, custom)
Dedicated inference stream. Does not share GPU allocation with face pipeline.
Identity resolution
Cosine similarity against enrolment gallery; threshold configurable per security level
Approximate nearest neighbour (Faiss) for galleries > 10,000 enrolled identities
Gallery cache on edge node for <5ms lookup. Server-side full gallery for non-cache misses.
Sensor fusion
Late fusion: vision + badge/RFID event correlation
Tight fusion with UWB for sub-metre positioning in high-security zones
Fusion logic runs on edge node ARM cores; does not consume GPU.
Enrolment and gallery architecture
Enrolment workflow
Every enrolled identity requires a minimum-quality face capture (frontal, adequate lighting, eyes open, no occlusion), a consent record (for face recognition deployments), a role and zone assignment, and a retention expiry date. The enrolment pipeline enforces image quality at capture — low-quality enrolments are rejected at the source, not discovered when they cause false rejects at the door.
Gallery structure
The central identity server maintains the full enrolment gallery — a Faiss approximate nearest-neighbour index for galleries above ~10,000 identities, or a flat cosine similarity index for smaller populations. Each edge node caches a subset of the gallery — typically the enrolled population for that site or zone — to enable local identity resolution without a server round-trip. Cache invalidation is event-driven: when an enrolment is added, modified, or expired, edge nodes are updated within a configurable window.
Template storage
Facial embeddings are stored as mathematical vectors — not images. The original capture image is stored separately, access-controlled, with a configurable retention period. Template and image retention are independently configurable to match jurisdiction-specific requirements. Templates can be stored exclusively on the edge node for highest-privacy deployments.
Deletion and right to erasure
Enrolment deletion removes the template, the image, and the access log entries (or archives them to a separate, access-controlled store) in a single transaction. The deletion event is logged. This workflow is designed to satisfy GDPR Article 17 and equivalent right-to-erasure obligations.
The hard problems we plan for
Lighting variance across a facility
A corporate lobby with floor-to-ceiling glass has radically different lighting at 08:00 (overcast) and 14:00 (direct sunlight). We benchmark per-entry-point in your actual lighting conditions across the day, add domain adaptation (synthetic lighting augmentation) where accuracy varies unacceptably, and configure per-door thresholds rather than a single global threshold.
Gallery scale and search latency
At 500 enrolled identities, flat cosine similarity search is fast and exact. At 50,000, it is slow. At 500,000, it is unusable. We switch to Faiss approximate nearest-neighbour search at the scale threshold relevant to your population, with accuracy benchmarked against your gallery size before production.
Enrolment drift
A face enrolled from a two-year-old access card photo will not match well against a current camera feed. We design re-enrolment workflows into the deployment scope — prompted re-enrolment at configurable intervals, triggered re-enrolment on repeated false rejects, and bulk re-enrolment tools for HR-driven population changes.
Adversarial presentation (spoofing)
Passive liveness detection (texture and depth analysis from a standard 2D camera) defeats printed photo attacks and most video replay attacks. Active liveness (challenge-response) defeats more sophisticated attacks but adds latency and user friction. We select liveness method by security level during architecture review. We do not deploy face recognition systems without liveness detection.
Multi-site identity consistency
A person enrolled at Site A attempting access at Site B — where Site B's edge node does not have their template cached — requires a server-round-trip to the central identity server. We design the cache policy and network topology to make this round-trip reliable, or constrain cross-site access to a defined enrolled subset that is distributed to all sites.
One architecture, seven operational profiles
Vertical
Primary use case
Identity method
Key compliance concern
Typical hardware
Corporate campus
Touchless building entry, visitor management, tailgating prevention
Face recognition
GDPR / local biometric law — consent and data minimisation
Orin NX per door + on-prem server
Data centre / server room
Strict zone access, multi-factor, audit trail
Face + badge fusion
SOC 2, ISO 27001 — access logging and review
Orin AGX per entry + air-gapped server
Healthcare facility
Staff zone access, visitor flow, patient safety
Face recognition or gait (ward CCTV)
HIPAA / PHIPA — biometric data handling and retention
Jurisdiction-specific biometric law — legal basis required per site
Air-gapped, hardened, signed updates only
Manufacturing / industrial
Shift access, restricted zone enforcement, contractor management
Face recognition or badge vision
Worker consent, local labour law, GDPR where applicable
Orin NX per gate + on-prem server
Logistics / warehousing
Dock access, vehicle + driver identity, contractor access
Face + LPR
GDPR consent if EU workers; local equivalents otherwise
Orin NX per dock + LPR camera
Retail / commercial property
Staff-only zones, VIP recognition, loss prevention re-ID
Appearance re-ID (non-biometric) or face (consent-gated)
Strictest consumer privacy laws — on-device anonymisation, no persistent biometric store without consent
Orin Nano / NX + on-prem
Deployment topologies
Edge node + on-prem identity server (standard)
Jetson Orin NX or AGX at each controlled entry point. On-prem GPU server (T4 or A10) as the central identity server. Edge nodes make routine access decisions from local gallery cache. Server handles cross-door re-ID, full gallery search, audit trail, and analytics. Video never leaves the site.
Air-gapped
Full pipeline with no outbound network. Gallery updates, enrolment changes, and model updates delivered via signed packages on a controlled inbound channel or physical media. Right for government, defence, and regulated clinical environments.
Hybrid VPC
Edge nodes on-site for access decisions. VPC-hosted aggregation for multi-site analytics, cross-site identity, and reporting. Biometric templates remain on-site. Only anonymised event metadata and non-biometric analytics transit to the VPC. Appropriate for multi-site enterprises where local data residency laws permit metadata egress.
[Request Architecture Review →] [Talk to an Engineer]
EU / EEA (GDPR + AI Act)
Explicit consent or substantial public interest (narrowly defined). AI Act classifies real-time public facial recognition as high-risk or prohibited.
Lawful basis documentation, DPIA, data minimisation, retention limits, subject rights
Individuals have the right to know whether their biometric data is held, what it contains, and how it is used, in most jurisdictions. The system supports SAR responses: a single query against the enrolment database and audit log by identity returns all held data — template existence confirmation, capture date, access log entries, and retention schedule — in a structured format suitable for disclosure. Response time: under 24 hours for a well-maintained database.
Right to erasure
Erasure requests trigger a deletion transaction: template removed, capture image removed or archived to a separately access-controlled store, access log entries archived (not deleted — audit trail integrity requires retention of the event record, not the biometric data). The deletion event is logged with a timestamp and the requestor's identity. Edge node caches updated within the configured propagation window.
Audit log integrity
Every access event — grant, deny, escalation, tailgate alert — is written to an append-only audit log with a cryptographic hash chain. Log entries cannot be modified or deleted without detection. Audit logs are exported on a configurable schedule (daily, weekly) to your SIEM or long-term archive. Retention period configurable per jurisdiction.
MLOps and drift handling
Accuracy monitoring
Per-door false reject rate and low-confidence escalation rate are monitored continuously. Increases above baseline trigger an alert — not a crisis, but a signal that something has changed (lighting, enrolment quality, a new population segment, a camera repositioned). We surface the signal before your security team notices doors taking longer to open.
Model updates
Models are versioned, signed, and deployed OTA to the device fleet via canary rollout. New model runs in shadow on a subset of edge nodes, recognition accuracy compared against the production model on live traffic, promotion gated on regression checks. Face recognition model updates require re-validation against the enrolment gallery before promotion — a model that improves average accuracy but degrades on low-light conditions does not promote.
Gallery drift and re-enrolment triggers
Enrolment drift — the gradual divergence between an enrolled template and a person's current appearance — is detected by monitoring per-identity confidence scores over time. A person whose recognition confidence has trended down over six months is flagged for re-enrolment before they start experiencing false rejects.
Security and data architecture
Data residency: all biometric data processed and stored on customer infrastructure. No facial template, embedding, or capture image transits our servers or any third-party cloud.
Template encryption: facial embeddings encrypted at rest (AES-256, customer-managed keys via KMS / Vault / HSM). Encrypted in transit between edge node and identity server (mTLS).
Separation of template and image: facial embedding (the mathematical vector used for recognition) and the original capture image are stored separately, with independent access controls and independent retention schedules.
RBAC: role-based access to enrolment database, access logs, and model management. Security operations role sees events but not templates. Enrolment administrator role manages templates but not audit logs. Compliance officer role accesses all audit data.
Audit logging: every enrolment event, every deletion, every access grant/deny, every model update, every SAR response logged to an immutable append-only store.
Liveness detection: passive liveness on all face recognition deployments by default. Active liveness configurable per-door for high-security entry points.
Air-gapped operation: full pipeline with no outbound network. Model updates, gallery updates, and audit log exports via signed packages and controlled inbound channel.
Build vs buy
What a 6-month internal build looks like
A capable ML team can stand up a face recognition pipeline using ArcFace + a cosine similarity gallery in four weeks. Liveness detection, enrolment workflow with consent capture, retention policy enforcement, right-to-erasure workflow, audit log integrity, OTA model updates, and per-door calibration are the other twenty weeks. Hidden costs: biometric law expertise your ML team does not have, DPIA documentation, and the compliance audit that happens before go-live.
Where building makes sense
When biometric identity is a core product — a physical security platform, an identity verification product, a workforce management system with biometric time-and-attendance — and you intend to hire a dedicated team that includes both ML engineers and a privacy engineer. The build amortises.
Where buying makes sense
When access control is an enabling capability, not a product. Most organisations deploying camera-based access are not building a security product — they are securing a facility. The compliance overhead alone (DPIA, legal basis documentation, SAR workflows, retention enforcement) is engineering work that never amortises for a single internal deployment.
What we won't do
Deploy face recognition in jurisdictions without confirmed legal basis — regardless of how the request is framed.
Deploy face recognition in public spaces where applicable law prohibits it.
Store biometric templates in a cloud environment without explicit customer instruction, documented legal basis, and a jurisdiction-appropriate data processing agreement.
Quote recognition accuracy numbers we have not benchmarked in your lighting conditions on your population.
Proceed past scoping without a compliance sign-off from the customer's legal or DPO function for face recognition deployments.
Lock you into proprietary enrolment formats or model artifacts — your enrolment database and model weights are yours.
Engagement model
Engagements start with a paid technical discovery: 2–4 weeks covering site survey, camera position review, legal basis confirmation for each jurisdiction, identity method selection per zone, hardware specification, enrolment workflow design, and integration surface scoping. By the end you have a reference architecture, a compliance assessment, and a go/no-go decision based on actual site conditions and legal basis — not a sales pitch.
Production engagements run on milestone-based contracts with defined acceptance criteria: per-door recognition accuracy (TAR/FAR targets), access decision latency SLA (p99), enrolment workflow completion, compliance documentation deliverables. Ongoing operations (enrolment maintenance, fleet monitoring, OTA updates, compliance audit support, on-call) run as a separate retainer scoped to your door count and SLA requirements.
[Request Architecture Review →] [Book a Discovery Call →]