Accountability is shared between HR, which owns hiring assurance, and identity teams, which own downstream access governance. If either side treats the process as someone else’s problem, the organisation can end up issuing valid access to an invalid identity. Shared controls are the only reliable answer.
Why This Matters for Security Teams
Fraudulent onboarding is not just a people-risk issue. It is an identity assurance failure that can turn a bad hire, a synthetic persona, or a compromised applicant into a valid user with legitimate access. HR may approve the hire, but identity and security teams still own the downstream controls that decide whether access is safe, bounded, and revocable. NIST’s NIST Cybersecurity Framework 2.0 treats identity governance as a shared control concern, not a single-team task.
The practical risk is simple: once a fraudulent employee is issued email, VPN, payroll access, or application entitlements, the organisation has created a trusted path that is hard to unwind. That path often bypasses detection until fraud, data theft, or insider abuse is already underway. NHIMG’s Ultimate Guide to NHIs shows that 80% of identity breaches involve compromised non-human identities, a reminder that any weak identity gate can be exploited once trust is granted. In practice, many security teams encounter fraudulent onboarding only after access has already been provisioned and the damage has begun.
How It Works in Practice
Accountability should be split by control domain, not by blame. HR owns hiring assurance, which means verifying the legitimacy of the employment event, identity documents, and approval chain. Identity, IAM, and security teams own access assurance, which means ensuring the person who is onboarded is the same person who is authorised, and that access is issued with the minimum necessary scope.
In a mature process, onboarding should include layered checks:
- HR validates the job offer, employment records, and human review steps.
- Identity teams enforce identity proofing, joiner workflow controls, and unique identity creation.
- Access governance applies least privilege, approval gating, and time-bounded provisioning.
- Security monitors for anomalies such as duplicate bank details, suspicious email domains, or mismatched device and location signals.
This is where shared control design matters. A fraudulent employee can still pass a weak HR workflow if downstream identity issuance is automatic and unchallenged. That is why current guidance suggests tying onboarding to identity proofing strength, privileged access checks, and immediate revocation pathways. For broader identity lifecycle context, NHIMG’s Ultimate Guide to NHIs is useful because it frames governance as continuous, not point-in-time. NIST’s Cybersecurity Framework 2.0 reinforces that identity and access management should be integrated into broader governance and detection processes, not isolated in HR or IT alone. These controls tend to break down when onboarding is fully automated across multiple systems but no one owns end-to-end exception handling and revocation.
Common Variations and Edge Cases
Tighter onboarding controls often increase friction, requiring organisations to balance fraud prevention against hiring speed and candidate experience. That tradeoff becomes especially visible in high-volume hiring, acquisitions, contractor onboarding, and remote-first environments where supporting evidence may be inconsistent.
There is no universal standard for this yet, but current guidance suggests treating “fraudulent employee” cases differently from ordinary misconfiguration. If the person is fake, the concern is not only incorrect access but also downstream account recovery, payroll fraud, and potential data exfiltration through legitimate systems. If the employee is real but their documents were manipulated, the response may require both HR investigation and security-led containment.
Edge cases also include:
- Third-party recruiters submitting incomplete or unverifiable records.
- Temporary workers who need rapid access but still require proofing.
- Privileged roles where standard onboarding is too permissive.
- Distributed organisations where local HR practices vary by region.
Best practice is evolving toward shared accountability, formal exception handling, and immediate access revocation when identity assurance is in doubt. For organisations managing large identity estates, NHIMG’s research shows the scale of the problem: the Ultimate Guide to NHIs highlights how quickly valid access becomes a liability when lifecycle controls are weak.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OC-02 | Clarifies accountability for identity risk across HR and security. |
| NIST CSF 2.0 | PR.AA-01 | Identity verification is central to preventing fraudulent onboarding. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Untrusted identity creation can lead to valid but illegitimate access. |
Assign clear ownership for onboarding risk and document who approves identity proofing and access issuance.
Related resources from NHI Mgmt Group
- Who is accountable when a former employee account or stolen token is used in a breach?
- Who is accountable when sustained infrastructure attacks disrupt access and availability?
- Who should be accountable when a large authentication change affects thousands of users?
- Who is accountable when a secure email gateway misses an identity-led attack?
