17 Questions to Ask Your Vendors at GSX 2025

Most of this year’s questions are related to AI advancements that have enabled breakthrough capabilities for many categories of physical security technology. A good preparation for the show is to read my article explaining about AI for physical security. The article also touches on end-user company IT review boards whose heightened scrutiny physical security solutions are now subjected to — especially solutions that involve AI.

To save space, I list the GSX booth numbers below like this (#1234) without saying “booth” each time.

System and device cybersecurity

When it comes to networked physical security systems, it’s important for the sake of all other devices on the network that any networked system (video, access control, etc.) supports certificate-based highly secure connections to its managed and interfaced devices.    

1. DEVICE CYBERSECURITY. How is cybersecurity baked into on-premise devices?  

One side-effect of AI is that AI-enabled physical security devices — especially cameras — now have greatly increased computing power and that makes them especially attractive to cyber attackers. 

This involves the manageable use of digital certificates for data encryption and for device authentication, allowing devices to prove that they belong on the network. Does the device support the use of certificates from a customer-preferred certificate authority (CA)? What are the manufacturer’s practices regarding vulnerability disclosure and firmware updates? To what extent do you support Zero Trust capabilities?

2. SYSTEM CYBERSECURITY. What are the recent improvements you have made in cybersecurity?

If you don’t get a sensible answer, it’s likely that the individual you’re asking hasn’t been paying attention to what the company has been doing or doesn’t want to talk about it. Ask for specifics about cybersecurity, not just assurances like, “we have it covered.” There should also be cybersecurity information available online, and guidance available in a downloadable format.

Hardening guides should identify which hardening steps relate to the various cybersecurity frameworks, such as the NIST cybersecurity framework and the Center for Internet Security’s CIS Controls. Recent NIST guidance (explained here) includes how to apply foundational NIST cybersecurity documents to a physical access control system (PACS).

3. Which server, appliance and workstation models have documented lab-test performance results?

On-premise server-based systems require cyber-hardened servers and workstations, but also guidance on which model to use based on the intended workload (especially important for video servers and monitoring workstations). Many manufacturers provide pre-hardened offerings; some tested not only in their own labs but also in third party labs such as the Dell Safety and Security Labs.

Exhibitors at GSX whom you can talk to about their validated configurations with Dell labs are Axis Communications (#1327), Genetec (#1561), Hanwha Vision (#2326), Johnson Controls (#1955), LenelS2 (#2437), Milestone Systems (#719), Pelco (#1027) and Verint (#2729).

Technology advancement

4. What is truly innovative, evolved or game-changing relating to security operations capabilities?

Practically every security industry incumbent will have “new and improved” versions of products or systems, and much of that will be around AI, integrations and mobile and cloud capabilities. While they often like to highlight the technical features, what matters most is what customers can do with them. If not volunteered, be sure to ask about customer stories and case study specifics relating to any claimed breakthrough benefits.

See also the September/October issue of Security Executive magazine, whose cover article introduces Four-Dimensional Security Surveillance (3-D Plus Time), and my column titled, Guidelines for Developing AI in Physical Security — which highlights two companies who explain how they have engineered their applications of AI to achieve outstanding performance — Acoem ATD (#3307) and Actuate.

5. How do you support integrator professional services and as-a-service offerings?

As-a-service offerings are much more than just rebranded leasing options. Due to varying lifecycles of the devices and components of today’s advancing security systems, and the increasing number of product and system configuration options, remote service capability is an important factor in addressing the complexities so as to maximize uptime and reduce service costs. Establishing secure remote connections to deployed systems is very feasible today.

However, there will be game-changers and the nature and scope of “as-a-service” offerings are beginning to change. Eagle Eye Networks (#3039) provides an excellent example with Eagle Eye Complete, which provides both CapEx and OpEx options. Eagle Eye is truly prepared for an in-depth Total Cost of Ownership discussion, and downloadable documentation that will (in my opinion) show you how to approach accurate TCO calculation for any offering.

Deep Sentinel (#4319) delivers AI-powered remote guarding capabilities combined with site surveillance and response technology that were once only practical for Fortune 500 companies. At its core is an on-premises edge computing and connectivity Hub that connects cameras and other devices and is a point of device integration. Running all AI at the edge, it identifies a potential threat in real time, streams the event to a live specially-trained security guard who can engage directly using two-way audio, activating built-in sirens or even deploying FlashBang deterrent options (e.g., smoke bombs, pepper spray, strobe lights) to actively stop intruders.

Privacy and data governance

6. What support do your products provide for GDPR, CCPA and CPRA compliance?

The toughest privacy and data security law in the world is the European Union’s General Data Protection Regulation. In the U.S. regulations vary by state, with California leading the way with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Previously I’ve said that being GDPR compliant is a way to assure compliance that is sufficient for any U.S. state, and for business security systems that is generally true. But there may be exceptions based on the type of business operating the security system and other factors. Download a detailed report by OneTrust DataGuidance and the Newmeyer & Dillion law firm.

For certain types of data, privacy protections include the ability to automatically anonymize the data before sharing or exporting it. Some privacy features are automated, some may be AI-based or non-AI analytics based (like face-blurring), and some require manual configuration.

Privacy and data governance are business issues whose importance to security system deployments is increasing significantly, because of the rise in non-security business operations data generated by security system analytics and AI-enabled computer vision.

Due to the security industry largely ignoring the privacy aspects involved in facial recognition, and the dangers inherent in mistaken identification, facial recognition technology has been banned in some states and government-regulated industries, such as the airport and city bans on its use.

This is what makes the facial authentication technology of Alcatraz (#2824) multi-technology facial readers so important, because they work based on mathematical models of a face. Thus, they never capture/store any human-identifiable PII, meaning that a person cannot use the data to identify the individual (it’s not a picture or image). Thus, their technology can be used even in areas and facilities in which facial recognition has been banned. Take a look at their recently released reader specifically designed for optical turnstile applications.

Some leading manufacturers have begun providing features that facilitate the proper handling of system data that has privacy considerations. Ask to see each privacy-compliance feature so you can determine how much configuration is required, and what data management processes you should have in place to support data privacy across all your physical security systems.

Cloud offerings

7. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

This is not a new question. It is still surprising to me how many cloud services salespeople can’t answer that question! This can also have some application to on-premises equipment that is cloud-managed. Many of the emerging cloud offerings are applications hosted on a cloud server, and don’t give users the flexibility and capabilities provided by cloud computing capabilities.

Not surprisingly, both Brivo Systems and Eagle Eye Networks (both in #3039) provide papers that document how they leverage cloud computing capabilities. Why do you think more cloud solution providers don’t do that?

8. Is your company listed in the STAR Registry of the Cloud Security Alliance?

It never ceases to amaze me that only three physical security industry companies (Brivo, Eagle Eye and Alcatraz AI) have filled out the free STAR Level 1 self-assessment spreadsheet and submitted it to the STAR Registry. What’s more, you’d think they would be interested in seeing what kinds of information other companies are providing!

The more people keep asking this question, the more physical security industry companies will sense the need to pay attention to the Cloud Security Alliance. When companies brag to me about how secure their cloud solution is, this question is my first response. It should be yours, too.

Addressing risk scenarios

9. What types of end user risk scenarios do your new or improved features address?

Vendors should be able to describe the risk situations that new or improved features were designed to address. Before the new feature, how did things work? Now how will they work using the new feature?

Ambient.ai (#3119) has taken the lead in this regard, as their AI computer vision capabilities are threat-signature based, and the number of threat signatures keeps increasing. Invalid Badge with Loitering and Invalid Badge Followed By Tailgating are two examples of AI combining data from multiple systems (video and access control) to detect threat situations not detectable by either system alone.

Open platform

10. Does the platform have an Open API — meaning that it’s published online and freely available? What are some examples of its use?

Integration is now becoming one of the most important physical security technology capabilities. Think “smart spaces” and “smart buildings.” See the Brivo 2024 Global Security Trends report. Some physical security system platforms are more “open” than others, and some APIs are more mature than others (a function of time and product advancement).

Ask to hear about examples of how the API is used for systems integration. SoloInsight’s CloudGate platform (#2275) supports an amazing array of integrations across multiple brands of systems. Milestone Systems (#719) was the first to provide an open video management software platform.

Digital certificates

11. Do your products support customer-provided digital certificates? How close to instantaneous is the certificate replacement process? How do you facilitate certificate management for large numbers of devices?

An increasing number of end-user organizations are requiring that encryption and system device authentication utilize customer-provided digital certificates. Because these organizations typically act as their own Certificate Authority (CA), they can perform near-instant certificate replacement for their systems. End-user customers don’t have such control over vendor-provided certificates.

Body-worn technology

The use of body-worn cameras in the business sector keeps increasing. They have been found to be highly valuable in the retail, healthcare, transportation and education sectors. However, the wearability of products and their technical capabilities vary significantly. The following set of questions applies.

12.  How can the technology be piloted to gauge system complexity, manual process impacts, and user experience; what safeguards address data privacy; what are the care and maintenance requirements; how does recording versus live streaming/sharing work; is it compatible with both cloud and on-premises VMS; and what customer use cases best match mine?

Due to the increasing use of body-worn cameras in the business sector, most providers can be very specific about how the technology will work in any situation and use case.

Leveraging existing technology deployments

This is a critical subject because many multi-national organizations have widespread technology deployments and rightly balk at rip-and-replace scenarios, especially ones that lock them into a specific brand or line of products.

13. What do you have that adds value to my existing physical security systems?

Check out SoloInsight’s CloudGate platform (booth #2827), mentioned above in question #6, because this platform’s purpose is to add value — especially manageability — to enterprise-scale deployments, regardless of how many types and brands of electronic physical security systems are involved.

Alcatraz (#2824) is an excellent example of a device that can significantly improve the effectiveness of specific access control points by addressing tailgating very cost-effectively.

AI-enabled technologies

It would be impossible to avoid the AI-based and AI-enhanced technologies at GSX 2024. Many of the questions above apply to AI-enabled products, such as from Ambient AI and Alcatraz AI.

A plethora of network video cameras have machine learning and deep learning chips and contain manufacturer-provided video analytics software that uses them. Some support third-party AI-based analytics that utilize these chips.

It is important to note that security devices and system AI is categorized as “narrow AI,” which refers to AI that has a narrow focus and whose functionality is limited to a specific purpose. It cannot go beyond the bounds set for it.

This is in contrast to “general AI” (refers to hypothetical AI systems that would have human-like general intelligence and problem-solving abilities across diverse domains) and “generative AI” (a type of AI that can create new content such as text, images, music, audio, and videos). It is these two categories of AI around which the scary stories are centered.

A good look at the uses of AI, including the different types of facial recognition (technical but understandable) is the paper titled, Artificial Intelligence in Physical Security, by Chris Navaral, Director Global Operations Center at Salesforce, primarily for those overseeing or operating their company’s Security Operation Centers.

Reading that 10-page paper will likely prompt several questions relevant to AI and your specific security technology applications. Read the paper all the way through, as there are several very key points towards the end.

14. At what point in the deployment timeline does an AI-enabled product achieve its full value? What are the time frames for AI training and initial learning that enable it to be fully functional?

Due to improvements in AI model training, over the past three years the time-to-value for a few of the leading AI platforms has dropped dramatically from months to weeks, and weeks to days. Ask about this at the Ambient AI booth. For many AI-enabled devices, such as the Alcatraz products, the time to value is zero, based on the nature of how its AI is used.

15. Who developed the AI software? Was it developed internally, based on open-source AI software, or specifically licensed from the developing company? Is the data was used to train the AI models from a third-party, the manufacturer or the customer?

This category of questions is so important that in July of 2025 Motorola Solutions introduced AI Nutrition Labels, which it will apply across its nearly two dozen well-known safety and security technologies.  

16. If it is a hybrid system, with some elements on premises and some in the cloud, where is all the data kept? If some learned data is kept locally on the on-premises server, how do I back it up?

17.  If AI is used in rule-based decision-making relating to access control or video systems, do you have documentation sufficient to meet a privacy regulation requirements to document the processing of PII data?

It is often quite daunting to see the number and variety of products at GSX. It can be hard to differentiate between them. Hopefully, the answers to these questions will help with that.