Subscribe to the Non-Human & AI Identity Journal

Ghost Worker

A ghost worker is a payroll identity that remains active and payable even though no eligible person should be receiving that salary. The risk is usually caused by weak offboarding, poor master-data hygiene, or manual exceptions that let stale records persist in payment systems.

Expanded Definition

In security and governance terms, a ghost worker is not just a payroll error. It is a persistent identity record that continues to authorise payment after the legitimate employment relationship has ended, changed, or never existed. At NHI Management Group, this matters because the problem sits at the intersection of identity lifecycle control, human resources data quality, and finance system integrity. The record can survive because approvals are manual, offboarding is incomplete, or payroll and IAM systems are not reconciled quickly enough.

Definitions vary across vendors and audit teams, but the core issue is consistent: an active payable identity without a valid entitlement to receive funds. That makes the term closely related to identity governance, even though it is often discussed in fraud or payroll contexts rather than classic cybersecurity. The NIST Cybersecurity Framework 2.0 is useful here because it emphasises governance, asset visibility, and control over lifecycle risks that can leave identities active after they should be removed.

The most common misapplication is treating ghost workers as only a payroll reconciliation issue, which occurs when organisations ignore identity and access dependencies that allow stale worker records to keep driving payments.

Examples and Use Cases

Implementing controls against ghost workers rigorously often introduces tighter approval chains and reconciliation overhead, requiring organisations to weigh payment accuracy against administrative friction.

  • A terminated employee remains on the payroll because HR submitted the separation, but payroll never received the update and the account stayed active.
  • A contractor’s engagement ended, yet a manual exception in the finance system continued paying the old rate for several cycles.
  • A duplicate worker profile was created during a merger, and one dormant record kept generating salary or stipend payments while the valid record was managed elsewhere.
  • A role change was processed in IAM, but downstream payroll entitlement rules were not updated, leaving the obsolete pay profile intact.
  • An offshore or contingent worker record was never fully deactivated because offboarding depended on a spreadsheet review rather than system-enforced closure. Guidance on resilient identity operations in NIST Cybersecurity Framework 2.0 helps illustrate why stale records become control failures, not just accounting mistakes.

Why It Matters for Security Teams

Ghost workers matter because they expose a broader control failure: the organisation has lost reliable authority over who is entitled to exist in its operational systems. That can signal weak joiner-mover-leaver discipline, poor master-data governance, and inadequate segregation between HR, IAM, and payroll functions. In identity-heavy environments, the same weaknesses that allow an unpaid or duplicated worker record to survive can also allow overprovisioned accounts, orphaned access, or fraudulent vendor identities to persist.

For security teams, the issue is not only financial leakage. Ghost worker conditions can mask fraud, complicate audits, and create false confidence in downstream controls that assume the payroll base is accurate. This is especially relevant where automated workflows, agentic AI, or large-scale identity operations ingest HR data and make decisions based on stale records. The stronger the automation, the more damaging an incorrect identity source becomes. Organisations typically encounter the full impact only after an audit, fraud investigation, or payroll dispute, at which point ghost worker remediation becomes operationally unavoidable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0 and NIST SP 800-63 set the technical controls, and DORA and PCI DSS v4.0 define the regulatory obligations.

Framework Control / Reference Relevance
NIST CSF 2.0 GV.OV Governance and oversight address lifecycle control gaps that let ghost worker records persist.
NIST SP 800-63 Digital identity assurance informs confidence in who is entitled to a worker record and payment.
OWASP Non-Human Identity Top 10 NHI governance patterns apply when payroll or HR system identities remain active without justification.
DORA Operational resilience rules support controls over data integrity and processing continuity in payroll flows.
PCI DSS v4.0 Credential and access controls are relevant where payroll systems contain payment data and privileged access.

Restrict access to payroll systems and review entitlements to prevent fraudulent maintenance of ghost workers.