By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: IncodePublished September 11, 2025

TL;DR: Hiring workflows are increasingly being exploited by AI-powered bots, synthetic IDs, deepfakes, and proxy candidates, and Incode argues that traditional background checks and interview processes often verify documents after trust has already been granted. The result is a hiring pipeline that assumes the applicant is real, the documents are genuine, and the interviewer can spot deception, assumptions that no longer hold.


At a glance

What this is: This is an operational guide to hardening hiring against candidate fraud, with the key finding that legacy recruiting workflows are too trust-based to stop deepfakes, proxies, and synthetic identities.

Why it matters: It matters because hiring is now part of the identity security perimeter, and practitioners who own IAM, HR-linked access, and insider-risk controls need to verify people before onboarding grants real access.

👉 Read Incode's guidance on building a resilient hiring pipeline against candidate fraud


Context

Hiring has become an identity assurance problem, not just a talent acquisition process. When recruiters, hiring managers, and onboarding teams accept candidate-provided identity data at face value, they create a control gap that AI-powered fraud can exploit before employment status is ever confirmed.

That gap matters across human IAM, insider risk, and downstream access provisioning. If the identity presented in recruiting is not re-verified before credentials, devices, and system access are issued, the organisation can end up onboarding an impostor into trusted workflows.

The article argues that this is now a typical failure mode for modern hiring pipelines, especially in remote or hybrid processes where video interviews and document checks are easy to manipulate.


Key questions

Q: How should security teams stop candidate fraud before onboarding access is granted?

A: Security teams should place identity verification before final hiring decisions, not after them. The practical goal is to ensure the person interviewed, the person documented, and the person onboarded are the same individual before accounts, devices, or access rights are issued. That means HR, IAM, and security must share one verified identity record.

Q: Why do remote hiring workflows increase identity fraud risk?

A: Remote hiring increases risk because interviewers lose physical presence, informal verification, and many of the cues people unconsciously use to spot deception. When video calls, document uploads, and email exchanges are the only controls, deepfakes and proxy candidates can look legitimate long enough to reach onboarding and receive real access.

Q: What breaks when hiring teams rely on background checks alone?

A: Background checks break as a primary control when they are run late and depend on candidate-provided identity data. They can confirm or reject details, but they cannot prove the applicant is the same person who interviewed. That leaves a gap between screening and identity assurance that fraudsters can exploit.

Q: Who is accountable when a fraudulent candidate becomes an employee?

A: Accountability is shared across HR, security, IAM, legal, and the hiring manager because each controls a different part of the trust chain. HR owns process design, IAM owns access issuance, security owns risk response, and legal helps ensure verification steps comply with employment and privacy obligations.


Technical breakdown

Why traditional hiring workflows fail identity verification

Traditional hiring workflows separate trust decisions from identity assurance. Recruiters evaluate experience, interview performance, and documents, but those signals do not prove that the person on screen is the same person who will appear on day one. The failure is structural: identity checks often happen after conditional offers, while video meetings rarely include liveness checks or stronger verification gates. In fraud cases, AI-assisted coaching, deepfakes, and proxy candidates exploit that delay. The pipeline optimises for speed and candidate experience, but those goals can conflict with strong identity assurance.

Practical implication: move identity verification earlier than offer stage and treat interview completion as insufficient evidence of who a candidate really is.

How deepfakes and proxy candidates bypass interview controls

Deepfakes and proxy candidates work because the interview process still assumes the visible participant is the real applicant. A synthetic face, altered voice, or stand-in can satisfy scripted questions well enough to pass a standard remote interview. The technical weakness is not the video platform itself but the lack of linked proof between the person, the device, and the verified identity record. Without liveness verification, document binding, and escalation paths for suspicious behaviour, interviewers are left to judge appearance and performance only.

Practical implication: add live identity checks, liveness signals, and anomaly escalation for finalists and remote interviews.

Why onboarding must be tied to the verified identity

Onboarding is where identity fraud turns into operational access. Once HR or IT creates accounts, assigns devices, or enrolls the new hire into IAM workflows, the organisation has extended trust into systems and data. That makes onboarding the last meaningful verification point before access becomes real. If the onboarding identity does not match the hiring identity, downstream controls inherit the mistake. The problem is especially acute when account creation, MFA enrollment, and device shipment are handled separately, because the mismatch can persist across multiple systems.

Practical implication: bind account provisioning, device issuance, and access enrollment to the same verified identity record used in hiring.


Threat narrative

Attacker objective: The attacker’s objective is to convert hiring trust into durable insider access that can be monetised through theft, sabotage, or downstream compromise.

  1. Entry begins when an attacker uses a synthetic identity, proxy candidate, or deepfake to pass recruiter screening and remote interviews.
  2. Escalation occurs when the organisation issues employee accounts, devices, or internal access based on the false identity, turning hiring trust into legitimate access.
  3. Impact follows when the fraudulent hire abuses insider access for data theft, sabotage, extortion, or supply chain compromise.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Hiring security is now an identity governance problem, not a recruitment edge case. The article shows that candidate fraud succeeds when organisations treat hiring as a trust exercise instead of an identity assurance workflow. Background checks, interviews, and references all operate after trust has already been extended, which is too late for modern deception techniques. Practitioners should treat pre-employment verification as part of identity governance, not a separate HR process.

The core failure is candidate-provided identity trust. That assumption was designed for an era when documents, voices, and video presence were harder to fake at scale. It fails when applicants can use synthetic identities, deepfakes, or proxies to supply convincing but false identity signals. The implication is not simply more screening, but a rethink of where identity truth is established in the hiring lifecycle.

Hiring pipelines need a named control concept: pre-onboarding identity binding. Identity, device issuance, and account creation must all reference the same verified person record, or the organisation creates a mismatch that propagates into IAM and insider-risk tooling. This is where workforce identity and human IAM meet operational security. If the person hired is not bound to the person verified, downstream controls are already compromised.

Cross-functional ownership is now mandatory because the attack spans HR, IAM, legal, and security. No single team can see the whole failure chain. HR sees the candidate, IAM sees the account, and security sees the risk after access has been granted. The governance model must connect those functions before a false identity becomes an employee, a contractor, or a privileged insider.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
  • A useful forward reference is the 52 NHI Breaches Analysis, which shows how identity trust failures become breach paths when lifecycle controls are missing.

What this signals

Pre-onboarding identity binding: hiring security is converging with identity governance because the trust decision now happens before day one, not at day one. Organisations that still separate HR vetting from IAM provisioning will continue to create a handoff gap that fraud can exploit, especially in remote-first environments.

With 91.6% of secrets remaining valid five days after notification, weak lifecycle discipline in one part of identity operations often correlates with weak trust controls in another. The same maturity problem that delays revocation can also delay verification.

Practitioners should expect candidate fraud controls to become part of broader workforce identity programmes. That means tying hiring workflows to access governance, insider-risk review, and verified identity evidence before systems trust the new worker.


For practitioners

  • Move identity verification earlier in hiring Verify government ID, selfie liveness, or equivalent identity evidence before final interviews or offers for roles that will receive system access. Treat late-stage background checks as supplementary, not primary assurance.
  • Bind onboarding to a verified identity record Require HR, IAM, and IT to use the same verified identity record for account creation, device shipment, MFA enrollment, and access grants. Stop provisioning if the hiring identity and onboarding identity do not match.
  • Train recruiters to escalate suspicious identity signals Give hiring teams a documented path for deepfake cues, voice anomalies, mismatched documents, or proxy behaviour. Make escalation routine so recruiters can pause rather than rationalise away unusual candidate behaviour.
  • Add insider-risk review for remote hires in sensitive roles Flag roles with elevated access, export-controlled data, or code deployment privileges for additional screening and post-hire monitoring. Use the hiring event as an input to insider-risk analysis, not just HR workflow.

Key takeaways

  • Hiring fraud is no longer just a people problem. It is an identity assurance problem that can turn recruitment into an insider access path.
  • Late background checks do not prove who the candidate is. When verification happens after trust is granted, deepfakes and proxy candidates can already be inside the pipeline.
  • Security teams should bind hiring, onboarding, and IAM to one verified identity. That is the control that closes the gap between applicant, employee record, and real access.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing is central to stopping candidate impersonation.
NIST CSF 2.0PR.AA-1Workforce identity assurance maps to authentication and identity management.
NIST SP 800-53 Rev 5IA-8IA-8 covers identification and authentication of users and supports stronger workforce onboarding.
ISO/IEC 27001:2022A.6.1Personnel security controls apply when hiring can introduce insider risk.
GDPRArt.32Identity verification processes must protect candidate data when personal data is processed.

Treat recruitment and onboarding as personnel security processes with documented approval gates.


Key terms

  • Candidate Fraud: Candidate fraud is the use of false, stolen, synthetic, or proxy identity information to obtain employment or access. In hiring workflows, it turns a recruitment process into an identity attack surface, especially when verification is delayed until after trust and access decisions have already been made.
  • Identity Verification: Identity verification is the process of confirming that a person is who they claim to be using evidence that is harder to fake than a resume or interview performance. In hiring, it should link the applicant, the onboarding record, and the eventual access account to the same verified individual.
  • Insider Risk: Insider risk is the possibility that someone with legitimate organisational access will misuse, lose, or be unable to safely protect that access. In the hiring context, a fraudulent employee is an extreme insider risk because the organisation grants trust before the deception is discovered.
  • Pre-onboarding Identity Binding: Pre-onboarding identity binding is the practice of linking hiring verification, employee records, device issuance, and access provisioning to one verified identity before work starts. It reduces the chance that a fake applicant can become a real user in IAM, HR, and endpoint systems.

What's in the full article

Incode's full article covers the operational detail this post intentionally leaves for the source:

  • A step-by-step resilient hiring pipeline for security and trust checks across recruiting and onboarding.
  • Specific identity verification checkpoints for interviews, finalists, and day-one access issuance.
  • Practical examples of how CHROs and CISOs can coordinate hiring security and insider-risk controls.
  • The vendor's detailed list of candidate verification and screening measures for remote hiring environments.

👉 The full Incode article covers the hiring-stage controls, identity checks, and onboarding safeguards in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org