Employee onboarding is now part of the attack surface

At a glance

What this is: This article argues that employee onboarding has become an identity attack surface because fake candidates can pass recruitment controls and receive credentials before defenders detect the fraud.

Why it matters: It matters because IAM, HR, and security teams need to treat hire-stage identity verification as part of access governance, not as a post-hire compliance step.

By the numbers:

• By 2028, one in four candidate profiles worldwide will be fake.
• Amazon blocked more than 1,800 suspected North Korean job applications between April 2024 and December 2025.
• KnowBe4 hired a North Korean threat actor who, started loading malware within 25 minutes of receiving a company laptop.

👉 Read 1Kosmos's analysis of employee onboarding as an attack surface

Context

Employee onboarding is no longer just an HR workflow. When identity is not verified early, a fraudulent candidate can move from application to credentials with little resistance, and that changes the control problem from screening resumes to preventing credentialed insider access.

For IAM and security teams, the issue is not background checks alone. The real failure is that standard hiring processes often assume the person at interview, offer, and hire is the same person who will later receive access, which is exactly what state-backed impersonation campaigns exploit.

Key questions

Q: What breaks when employee onboarding does not verify identity early enough?

A: When identity is not verified before credentials are issued, onboarding becomes an access pathway for impostors. The failure is that background checks and interviews can be passed by a false candidate, after which the organisation has already granted insider-level trust. At that point, traditional perimeter defences are reacting too late.

Q: Why do fake candidates create an IAM problem instead of only an HR problem?

A: Fake candidates create an IAM problem because the risk materialises when a false identity receives accounts, devices, and access rights. That is an identity lifecycle failure, not just a hiring mistake. Once access is granted, privilege, monitoring, and incident response all assume the wrong person is inside the environment.

Q: How can organisations detect onboarding fraud before access is granted?

A: Use layered verification that combines government document authentication, live biometric matching, and contextual risk signals from the application and interview process. No single check is enough against deepfakes and stolen identities. The goal is to force attackers out before they reach the hire phase and receive credentials.

Q: Who should be accountable when a fraudulent hire gets access?

A: Accountability should sit jointly with HR and security leadership because the control failure spans recruitment, identity proofing, and access governance. The practical answer is a shared decision path for offer, hire, and access issuance, with clear escalation when identity assurance is incomplete.

Technical breakdown

Why hiring-stage identity proofing now belongs in access governance

Hiring-stage identity proofing closes the gap between candidate vetting and credential issuance. In these attacks, adversaries use stolen identities, synthetic documents, and deepfake video to survive conventional screening, then obtain corporate access through a legitimate hire path. That makes the onboarding workflow itself part of the trust chain. The technical issue is not simply weak HR screening, but the absence of binding proof between the applicant, the interviewee, and the person who receives credentials. Practical implication: move identity assurance earlier, before access is issued.

Practical implication: require identity proofing before credentials are granted, not after the employee record is created.

How deepfakes and synthetic identities bypass human review

Deepfakes reduce the reliability of interview-based verification because visual confidence no longer proves identity. Attackers pair AI-generated images with fabricated government documents and remote facilitation to create a convincing but false identity trail. This undermines processes that rely on human judgment at a single point in time. The control failure is temporal: the check happens once, but the attacker only needs to look legitimate long enough to cross the hire threshold. Practical implication: verification must combine document authenticity, biometric match, and contextual risk signals.

Practical implication: combine document checks, biometric matching, and contextual risk scoring in the hiring flow.

Why onboarding fraud becomes an insider-risk problem after access is issued

Once a fraudulent hire receives credentials, the threat changes from applicant fraud to credentialed insider abuse. That actor can move laterally, exfiltrate data, plant malware, or establish a foothold for later operations. The important point is that standard perimeter controls are poorly matched to this scenario because the threat is already inside through an approved identity lifecycle event. Practical implication: extend insider-risk monitoring to new hires and watch for remote access tools, unusual location changes, and anomalous device behaviour.

Practical implication: treat new hires as monitored insider-risk subjects until identity assurance is established.

Threat narrative

Attacker objective: The objective is to gain legitimate employee access that can be converted into insider position, intellectual property theft, and persistent network presence.

1. Entry begins when attackers use stolen identities, fabricated documents, and deepfake interviews to pass hiring controls and obtain a corporate laptop.
2. Escalation occurs after the fraudulent hire receives credentials and access, allowing the actor to operate as a credentialed insider rather than an outsider.
3. Impact follows through malware installation, lateral movement, data theft, and the creation of persistent footholds inside the enterprise.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Employee onboarding has become an identity control point, not a back-office process. The article shows that the trust decision is happening before access issuance, which means recruitment and IAM are now coupled. Once the wrong person is hired, the security programme has already lost the first and most important verification step. Practitioners should treat hire-stage proofing as part of identity governance.

Early-stage identity verification exposes a governance gap, not just a fraud problem. Background checks, reference calls, and video interviews were never designed to defeat state-backed impersonation with synthetic media and stolen identities. The failure mode is not one missing control, but a control sequence that still assumes the applicant is genuine until after credentials are granted. Practitioners need to reframe onboarding as an access decision, not an HR formality.

Conditional trust in candidate identity is the new minimum bar. Gartner's reporting, paired with cases such as KnowBe4 and Amazon, shows that adversaries are using the recruitment path as an access route. That means assurance must rise before hire, not after first login, and the governance model must separate application intent from verified identity. Practitioners should align onboarding assurance with access risk.

Hybrid HR and security ownership is now mandatory for identity assurance. The article makes clear that HR teams cannot be expected to detect nation-state tradecraft alone, and security teams cannot stay outside the hiring workflow. The structural answer is shared accountability across CHRO and CISO functions, with identity verification embedded at offer and hire stages. Practitioners should formalise that joint control model.

Identity proofing at hire is becoming a prerequisite for least privilege. Least privilege only works when the subject receiving access is the subject the business intended to trust. When applicants can impersonate legitimate hires, access scoping starts from a false premise and every downstream control inherits that error. Practitioners should view verification as the foundation that makes privilege assignment meaningful.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For the governance angle that connects hiring fraud to broader identity risk, see Top 10 NHI Issues for the access-control blind spots that emerge when identity assurance fails.

What this signals

Candidate identity is becoming a pre-access trust decision, not a verification afterthought. Organisations that still treat hiring fraud as an HR-only concern will miss the point that access issuance now depends on proving who the candidate really is. The control boundary has shifted upstream, and programmes that cannot verify identity before hire are effectively accepting insider risk at the door.

The practical next step is to align onboarding controls with identity lifecycle governance, including offer-stage proofing, credential gating, and insider-risk monitoring for new hires. Teams should also map where synthetic identity and deepfake indicators can be surfaced inside recruitment workflows, because the threat is no longer limited to obviously suspicious candidates. For the governance model behind this shift, compare it with Ultimate Guide to NHIs , Key Challenges and Risks.

Identity assurance at hiring is now part of resilience planning. If state-backed actors can pass recruitment screens, then the issue extends beyond fraud prevention into business continuity, data protection, and insider threat management. Security leaders should prepare for more joint ownership between HR and security, because the attacker is targeting the point where trust becomes access, not just the endpoint after login.

For practitioners

• Move identity proofing into the hiring workflow Require proof of identity at the offer or hire stage before credentials are issued, and do not rely on post-hire checks to catch impersonation after access has already been granted.
• Link HR and security approval paths Define a shared process between CHRO and CISO teams so contextual risk signals, interview anomalies, and document verification results can block or escalate suspicious candidates.
• Extend insider-risk monitoring to new employees Watch for abrupt location changes, unauthorised remote access tools, unusual login timing, and early signs of device abuse during the first period of access.
• Validate identity before credential handoff Treat laptop shipment, account creation, and directory activation as controlled steps that depend on a verified person, not as routine onboarding tasks.

Key takeaways

• Employee onboarding is now an identity attack surface because a fake candidate can become a credentialed insider before security teams detect the fraud.
• The evidence is growing fast, from one in four candidate profiles projected to be fake by 2028 to real-world cases where suspicious applicants were blocked at scale.
• The control that matters most is early identity proofing at offer or hire stage, before credentials, devices, and access rights are handed over.

Key terms

• Hiring-stage identity proofing: Hiring-stage identity proofing is the set of checks used to confirm that a candidate is the real person they claim to be before access is issued. It combines document validation, biometric match, and context-aware risk review so the organisation does not hand accounts to an impostor.
• Credentialed insider: A credentialed insider is an actor who has obtained legitimate access through approved processes but should not be trusted because the underlying identity is false or compromised. The danger is that normal permissions, monitoring, and trust assumptions all activate once the account is issued.
• Identity lifecycle governance: Identity lifecycle governance is the discipline of controlling identities from creation through verification, access assignment, monitoring, and offboarding. In this context, it means the hire event must be treated as a security control point, because access decisions depend on verified identity.
• Synthetic identity: A synthetic identity is a fabricated or blended identity assembled from real and false attributes to evade verification and background checks. Attackers use synthetic documents, profile images, and supporting details to create a convincing person that can survive human review long enough to gain access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: Research from Gartner highlights employee onboarding as part of the attack surface. Read the original.