The recording vs. record distinction

Operators repeat one mistake: confusing "we record everything" with "we can prove anything."

A legacy DVR overwriting on 30, 60, or 90-day retention captures footage. When an OSHA inspector asks for the forklift incident on April 11 at 14:35, the manager pulls the clip. When the inspector asks for every time someone entered the chemical room without PPE in the last 90 days, the system can't answer. The footage exists. The query doesn't.

That's the audit-fail pattern. The auditor doesn't want a video. They want a record: structured, searchable, retained for the regulation-specified window, producing an answer in minutes, not days.

What auditors actually expect, by regulation

Different frameworks expect the same kind of evidence in different formats.

OSHA (29 CFR 1910). Documentation of PPE compliance (1910.132), confined-space entry (1910.146), lockout/tagout enforcement (1910.147), powered industrial truck operations (1910.178). Inspector expects an on-demand answer to "show me every time someone entered this zone without the required PPE in the last 30 days." Serious violations run up to $16,131 per violation as of the 2024 OSHA adjustment; willful or repeated up to $161,323 per violation.

HIPAA (45 CFR 164.310). Documented physical access controls on PHI-containing spaces. Joint Commission expects auditable logs on medication rooms (DEA 21 CFR Part 1301 parallel), behavioral health units, NICU, and infant protection. Retention: six years for accountings of disclosures.

HACCP and FDA Food Safety Modernization Act. Documented controls at critical control points. Cleaning cycles, sanitation workflows, gowning compliance, controlled-zone entry. During a recall investigation, the FDA wants to reconstruct the production timeline. The records that produce that reconstruction in hours are the ones that hold up.

SOC 2 Common Criteria. Physical access provisioning, de-provisioning, periodic review. Sampled and verified during the audit.

PCI-DSS Section 9. Physical access to cardholder data environments. One year retention, three months immediately accessible.

CMMC 2.0. Defense subcontractors. C3PAO assessment evaluates physical access controls and visitor logging for CUI environments. Documentation failures cost DoD contracts.

The pattern across every framework: the auditor's question gets answered from one report run by one person, not three reports stitched together at the end of a week.

Why the audit-fail pattern repeats

The configurations that produce audit failures repeat across operators.

  • Camera-only deployment with no event tagging. The footage exists; the structured record doesn't. Reconstructing an event takes days of NVR scrubbing.
  • Site-by-site systems with no central platform. A 12-site enterprise running 12 isolated DVRs can't produce an enterprise-wide answer in any reasonable window.
  • Retention shorter than the regulation. 30 or 60-day overwriting on a regulation that expects two years. The evidence is gone before the audit asks.
  • No correlation between access events and video. The door log doesn't pre-cue the camera clip. The investigation runs in two systems with two clocks.
  • No reporting layer for safety teams. The compliance manager wants weekly PPE numbers; the camera system produces a clip. The safety team walks the floor manually instead.

What video analytics actually contributes

Honest framing: video analytics doesn't make a non-compliant operation compliant. It produces the structured records that close the documentation gap. The specific records analytics can generate:

  • PPE compliance logs. Object-classification models trained on hard-hat, safety-vest, hairnet, glove, and eye-protection presence flag the worker without the required item. Daily compliance report instead of a manual floor walk. Genetec, Verkada, Avigilon Alta, Intenseye, and Dragonfruit AI all ship variants of this.
  • Restricted-zone entry logs. Person crosses into the chemical room without the access credential. Event logged with video pre-cued. Compliance team has the evidence the next morning.
  • Forklift-pedestrian proximity events. Industrial truck and worker proximity flagged before the contact, after the contact, or both. The leading-indicator metric the safety team can move on.
  • Slip-trip-fall detection. Person on the ground in a zone where they shouldn't be on the ground. Faster incident response, faster claim documentation, less ambiguity on the timeline.
  • Visitor and contractor tracking. Visitor check-in pre-cues face capture. Contractor leaves the authorized zone, alert fires.
  • Cleaning and sanitation cycle confirmation. Did the food-production cleaning crew enter, complete the cycle, and exit on schedule? The record is automated.

The compliance team gets a dashboard instead of a clipboard. The auditor gets a report instead of a scrubbing session.

The retention reality

Different regulations expect different retention windows. A single 30 or 60-day rolling DVR matches none of them.

  • OSHA 300 logs: five years.
  • HIPAA accountings of disclosures: six years.
  • PCI-DSS: one year, three months immediately accessible.
  • SOC 2: one year of audit evidence typical.
  • FDA FSMA: two years for sanitation and process records.
  • CMMC: two years for visitor logs in CUI facilities.
  • DEA 21 CFR Part 1301: two years.

The deployment matched to the regulation uses tiered storage: hot storage for the active window at full resolution, cold storage for the regulatory window with downsampled video and full metadata. Every event stays queryable for the regulatory window even when the high-resolution footage isn't. The deployment that fails has one rolling DVR set to 30 or 60 days because nobody mapped retention to the regulation when the system was specified.

How to move from "cameras everywhere" to audit-ready

The sequence that works, in order.

  1. Inventory the frameworks that apply. OSHA always. Then the vertical-specific one (HIPAA, FSMA, PCI-DSS, CMMC). Then state-specific (BIPA, California CCPA/CPRA, NYC Local Law 3, Washington HB 1493).
  2. Map each framework to the evidence it expects. One page per framework: what records, what retention, what export format.
  3. Audit the current deployment against the map. The gap is usually one of three: retention shorter than the regulation, no queryable records, or no central platform across sites.
  4. Choose the platform that closes the gaps. Cloud-native access control plus video correlation. Genetec, Verkada, Avigilon Alta, Brivo, Milestone, and Eagle Eye all support this in 2026.
  5. Configure the analytics per framework. PPE for OSHA, restricted-zone for controlled substances, cleaning-cycle for FSMA, visitor tracking for CMMC.
  6. Set retention tiers per regulation. Not one number across the platform.
  7. Run a mock audit. Pull the report the regulator would ask for. If it takes more than 30 minutes, the configuration isn't done.

What to ask before signing

  • What's the evidence format your platform produces for each of our applicable regulations?
  • What's the retention tier configuration and what does the cold storage cost?
  • How does the access event correlate with the video clip in the same investigation timeline?
  • Who pulls the audit report? Our compliance team, or you?
  • For BIPA, CCPA, NYC, and Washington biometric privacy: what's your consent and retention flow?
  • What's the integration with our SIEM and our compliance reporting tooling?

If the vendor can't answer with specifics, they're selling a camera system, not a compliance platform.