Facial Recognition For Security: Benefits And Challenges

Facial recognition is the single most polarising capability in modern video intelligence. For some buyers it's the headline feature that justifies the platform. For others it's the headline risk that bars the platform from procurement. Both reactions are usually based on incomplete understanding of what the technology actually does, how it performs, and how it can be deployed responsibly.

This article gives an honest, technical accounting. No marketing — just what works, what doesn't, and what regulators actually require. The framing is African deployment but most of the technical reality is universal.

What facial recognition actually is (and what it isn't)

The term "facial recognition" gets stretched to cover several distinct technical operations. Pinning them down precisely is the first step to a useful conversation.

Face detection. Determining that a face is present in an image. This is uncontroversial and ubiquitous — every smartphone camera does it. By itself, face detection identifies nobody.

Face attribute analysis. Estimating attributes from a face — approximate age, apparent gender, emotion, head pose. Sometimes useful for analytics (anonymous demographic summaries), almost never used in security applications.

Face matching (1:1). Comparing a detected face against a single specific reference image and returning a similarity score. Used at access points where someone presents identity (a staff badge, a visitor pass) and the system verifies the face matches the claimed identity.

Face identification (1:N). Comparing a detected face against a reference set of N known faces and returning the closest matches. The serious enterprise security use case is bounded 1:N — matching against a watchlist the customer owns (banned individuals, persons of interest, registered visitors). The controversial use case is unbounded 1:N — matching against population-scale databases the customer doesn't control.

For security operations, the technology that matters is overwhelmingly bounded 1:N face matching against a customer-controlled watchlist. Everything serious enterprise vendors sell is some form of this. Treat any vendor talking about general-population identification with deep scepticism.

The real benefits — and they are real

Used in the right contexts, facial recognition delivers operational value that's difficult to replicate any other way.

Watchlist matching for known offenders. Malls, banks and corporate sites all maintain lists of individuals who have been previously banned, caught, or flagged. Without facial recognition, "watch out for these people" is a poster on the security office wall that nobody actually looks at. With facial recognition, the watchlist becomes a live filter against every camera in real time.

Access control for known populations. Corporate offices, hospitals, secure facilities and gated estates have defined-population sites where most movement should match an expected pattern. Facial recognition enables passive access verification — the right person walks through the right door at the right time, no card-tap required, and the system alerts only when something doesn't match.

VIP and member recognition. Hotels, hospitality and high-end retail benefit from recognising VIPs and high-tier members on arrival. The use case is service, not security, but the technology is the same.

Lost children and vulnerable persons. When a parent reports a missing child, facial recognition against an enrolled image collapses the search radius from "the whole mall" to "the cameras that have seen this child in the last 30 minutes". In healthcare settings, the same workflow applies to dementia patients who may have wandered from a ward.

Suspect investigation. When a crime is reported with a partial face captured on one camera, the platform can search across other cameras and time windows to reconstruct the subject's path. This is forensic, not preventive — but the time savings are enormous.

Accuracy in practice

The honest framing for buyers: laboratory accuracy and production accuracy are different numbers. Vendors quote the first. Operators experience the second.

Top-tier facial recognition models score above 99% accuracy in NIST FRVT (Face Recognition Vendor Test) evaluations with high-quality face images and controlled conditions. Some scoring above 99.9% in 1:1 verification tasks. These are real numbers — and they're not what your cameras see.

Production accuracy depends on five variables:

• Camera placement. A face captured at 5° below horizontal, evenly lit, at 80+ pixels between the eyes, performs vastly better than the same face captured at 45° from above with strong backlighting.
• Image resolution at the face. Most security cameras have plenty of resolution; the question is whether the face occupies enough of the frame. As a rule of thumb, 80 pixels eye-to-eye is the practical floor for reliable matching.
• Enrolment image quality. The reference image used to enrol a watchlist subject matters enormously. A clear, frontal, well-lit enrolment image is the difference between reliable matching and false negatives.
• Watchlist size and threshold tuning. Larger watchlists generate more potential matches and require higher confidence thresholds to manage false positives.
• Lighting and environmental conditions. Mixed lighting, hard shadows, glare from reflective surfaces — each degrades performance in predictable ways.

What this means in practice: a deployment with carefully placed cameras, high-quality enrolment images, well-tuned thresholds, and a manageable watchlist size will perform at or near the laboratory numbers. A deployment that ignores those variables can see precision and recall drop by 10–30 percentage points. The variable buyers can most easily control is enrolment quality.

The bias problem — what's true and what's outdated

For years, facial recognition systems had measurable performance gaps across demographic groups — particularly between lighter-skinned and darker-skinned subjects, and between male and female faces. The 2018 Gender Shades paper made this widely known, and subsequent NIST evaluations confirmed the gaps existed in many commercial systems.

The picture in 2026 is significantly improved but not uniformly so. The leading models in the 2023+ NIST FRVT round show dramatically reduced demographic performance gaps compared to 2018-era models. But:

• Not every vendor uses a leading model. Some still deploy systems trained on imbalanced datasets.
• Even bias-corrected models can underperform in deployment conditions that weren't well represented in training data.
• The variance across vendors is significant. Two vendors can use the term "facial recognition" while delivering very different accuracy profiles across demographics.

For African deployments, this matters more than average. Many of the most widely deployed legacy systems were trained on datasets that under-represented African demographics. Buyers should ask vendors specifically about NIST FRVT performance broken down by demographic, and about training data composition. The right vendor will provide both without flinching.

Compliance — what African regulators actually require

Facial recognition is governed across Africa as biometric processing, which is treated as a special category of personal data with elevated requirements. The headline regimes:

• Nigeria — NDPR (2019) and NDPA (2023). Biometric data is "sensitive personal data". Processing requires a lawful basis, documented purpose, proportionality assessment, and retention limits. Cross-border transfer requires either a determination of adequacy or specific safeguards.
• South Africa — POPIA. Biometric identifiers are "special personal information". Processing generally requires explicit consent unless one of the specific exceptions applies. The Information Regulator has shown growing willingness to enforce.
• Kenya — Data Protection Act (2019). Biometric data is "sensitive personal data". Processing requires consent or another specified lawful basis, and impact assessments are required for high-risk processing including biometric identification.
• Ghana — Data Protection Act (2012). Biometric data is "special personal data". Requirements broadly mirror the regional pattern.
• Rwanda — Law No. 058/2021. Biometric data is "sensitive data". Processing requires consent or another specified lawful basis.

The practical implications for facial recognition deployment in Africa:

1. Document a specific purpose. "General security" isn't enough. "Watchlist matching against persons previously convicted of theft on these premises, retained for 24 months" is.
2. Apply proportionality. The processing must be necessary and minimal. A bank vault is a different proportionality calculus from a public shopping mall.
3. Notify data subjects. Visible signage that facial recognition is in use, with the legal basis and contact information.
4. Maintain audit logs. Who accessed what data, when, for what purpose.
5. Retain footage residency. On-premise or hybrid deployment that keeps the biometric processing on the customer's network is materially easier to justify under most regimes than cloud-only processing.
6. Set retention limits. Specific, defensible retention periods for face data and matched events.

Vendors who can support all of this — on-prem deployment, configurable retention, audit logging, role-based access — make the compliance posture meaningfully easier. Vendors who can't are setting their customers up for problems.

Deploying it well

A short, opinionated playbook for facial recognition deployment in security operations:

1. Start with a specific use case. Define the operational problem facial recognition is solving before procuring anything. Watchlist matching against known offenders. Access verification for staff. Lost-child search. Be specific.
2. Bound the watchlist. The watchlist is yours, you own it, you populate it, you remove from it. It does not include the general public.
3. Invest in enrolment quality. Spend more time on the enrolment workflow than on any other part of the deployment. Good enrolment images drive everything else.
4. Place cameras for face capture. Treat face-capable cameras as a distinct category — different placement, different angle, different settings — from general-surveillance cameras.
5. Tune thresholds conservatively. A high-confidence threshold reduces false positives at the cost of some false negatives. For most security applications, that's the right tradeoff.
6. Plan the human-in-the-loop response. An alert isn't an action. Define what an operator does when a watchlist match fires — verify, escalate, respond.
7. Build the compliance documentation alongside the technical deployment. Don't bolt it on after launch.

When facial recognition isn't the right answer

Three scenarios where facial recognition is the wrong tool:

1. General population surveillance. Identifying unknown members of the public against unbounded databases is operationally unnecessary, legally fragile, and ethically dubious. If the use case requires this framing, the use case is wrong, not just the tool.

2. Lighting and angle conditions that don't support reliable face capture. Outdoor entrances with strong backlighting, ceiling-mounted cameras at steep angles, low-resolution legacy cameras. Behaviour analytics, vehicle recognition, or perimeter rules often deliver better outcomes in these conditions.

3. Use cases better served by access control. If the operational need is "verify the right person is entering the right area", a card-tap or biometric badge often performs better than passive facial recognition — and avoids the compliance and accuracy issues entirely.

FAQ

Sorveo offers facial recognition as part of a broader video intelligence platform — with on-prem deployment, customer-owned watchlists, audit logging, and full alignment to NDPR and other African data protection regimes. Explore the dedicated facial recognition solution or book a live demo.