TL;DR: Payroll fraud through “ghost workers” persists when payroll records are not tightly bound to verified identity, prompting Oyo State to launch a worker verification exercise using BVN, biometrics and document capture, according to Seamfix. The case shows that identity proofing and lifecycle governance must stay aligned or payment controls become easy to bypass.
At a glance
What this is: This is a payroll verification effort focused on removing ghost workers by validating civil servant identity through BVN, biometrics, and supporting documents.
Why it matters: It matters because payroll fraud is an identity governance failure, and the same lifecycle gaps that enable ghost workers can also undermine access, entitlement, and credential controls across NHI and human identity programmes.
👉 Read Seamfix's article on Oyo State's ghost worker verification initiative
Context
Ghost worker fraud happens when a person is paid as if they were active staff, but the employment relationship or identity record is stale, duplicated, or fabricated. In identity terms, the control failure is not just payroll accuracy, it is weak proofing, poor lifecycle assurance, and limited re-verification of who should still exist in the system. That same governance gap appears in many identity programmes when records are created once and never challenged again.
The article sits at the boundary between identity verification, fraud prevention, and access governance. Oyo State's verification drive uses BVN, fingerprints, portrait capture, and document checks to reconcile people against payroll records. For IAM and IGA teams, the lesson is that identity confidence decays over time unless enrolment, review, and offboarding controls keep pace with operational reality.
Key questions
Q: What breaks when payroll identities are not tied to current employment status?
A: Payroll becomes a payment channel for stale or fabricated identities, which means organisations keep paying people who are no longer entitled to receive funds. The control failure is usually poor lifecycle governance, weak reconciliation between HR and payroll, and insufficient re-verification. Without authoritative status checks, fraud can persist for long periods before anyone notices.
Q: Why do browser-based attacks matter to IAM and identity governance teams?
A: Browser-based attacks matter because the browser is where users authenticate, work, and move data in the same session. If IAM stops at login, it misses the post-authentication behaviour where phishing, fraud, and data leakage occur. Identity governance now has to include session policy and content control.
Q: How can organisations tell whether identity assurance is actually working?
A: Look for consistency across onboarding, recovery, and re-verification events. If those processes use the same quality of proof, the same audit trail, and the same ownership model, assurance is behaving like a control rather than a slogan. If one path is much easier than the others, the programme has a bypass.
Q: Who should be accountable when a ghost worker remains on payroll after biometric capture?
A: Accountability should sit with the teams that own identity lifecycle, payroll reconciliation, and exception approval, not with the capture event alone. If employment status, payment status, and biometric status are split across functions, each team can assume another owns the risk. Governance only works when one process owner can trace and close the entitlement gap.
Technical breakdown
Why ghost worker fraud is an identity lifecycle failure
Ghost workers exploit a simple break in the identity lifecycle: a record remains payable even when the person behind it is absent, duplicated, or never properly verified. The problem is not only fraudulent enrolment. It is also weak reconciliation between authoritative personnel data, payroll records, and ongoing employment status. In practice, this is a governance issue because identity proofing alone cannot compensate for poor record maintenance, absent recertification, or unmanaged exceptions. Where systems allow people to remain active after their real-world status changes, fraud becomes a process outcome rather than an isolated event.
Practical implication: align payroll and HR lifecycle controls so every active pay record has a current, verified employment status.
How BVN, biometrics, and document capture work together
BVN, biometrics, and supporting documents serve different functions in identity verification. BVN ties a person to a banking identity reference, biometrics help establish presence and uniqueness, and documents provide corroborating evidence. None of these controls is sufficient on its own. Fraud resistance comes from combining them and checking for duplicates or mismatches across records. The important design point is that identity evidence must be evaluated against a trusted source of truth, then retained in a way that supports later audit, review, and dispute handling. Without that full chain, verification becomes a one-time event instead of a durable control.
Practical implication: use multi-factor proofing and duplicate detection, then preserve evidence for audit and exception management.
Why payroll fraud has an IAM and PAM intersection
Although this article is about civil service payroll, the control logic maps closely to IAM and PAM. A ghost worker is effectively an over-retained entitlement in financial form, where the organisation continues to grant access to salary payments after the underlying identity should have been removed or challenged. That is the same structural issue seen when service accounts, tokens, or privileged accounts are left active beyond their intended lifecycle. The broader lesson is that identity governance fails when activation is easier than deactivation, and when periodic review does not trigger real remediation.
Practical implication: treat payroll, account, and entitlement offboarding as the same governance problem across human and non-human identities.
Threat narrative
Attacker objective: The objective is to obtain recurring salary payments without performing the work or maintaining a legitimate employment relationship.
- Entry occurs when a person is added to payroll without robust proof that the identity corresponds to an active civil servant.
- Escalation follows when duplicate, stale, or fabricated records survive routine payroll processing without challenge.
- Impact appears as ongoing salary payments to non-workers, draining public funds and weakening trust in the payroll system.
Breaches seen in the wild
- Coupang Signing Key Breach — Unrevoked signing key credentials expose 33.7 million records after employee offboarding failure at Coupang.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Ghost worker fraud is a form of identity lifecycle drift: once a payroll identity becomes detached from a real employment status, the organisation is no longer paying a person, it is paying a stale record. That failure mode is closely related to entitlement sprawl in IAM, where access persists because removal processes are weaker than creation processes. The practitioner lesson is to treat payroll verification as a lifecycle control, not a one-off compliance exercise.
Biometric proofing improves confidence, but it does not solve governance by itself: fingerprints, portraits, and BVN checks can reduce impersonation and duplication, yet they do not replace authoritative status management. If HR, payroll, and audit records are not reconciled continuously, a verified identity can still become a fraudulent payment recipient later. The practitioner conclusion is that verification evidence must feed an ongoing recertification model.
This case exposes a standing-payment privilege problem: the organisation has effectively allowed a financial entitlement to persist without continuous justification. That is conceptually similar to standing privilege in IAM and PAM, where access remains available long after the original need has passed. The conclusion for identity teams is to define clear expiry, review, and exception handling for every recurring entitlement.
Ghost worker controls belong in the same governance conversation as NHI lifecycle management: both problems are about proving that an identity still deserves to exist in an operational system. The intersection matters because organisations often harden machine identities while leaving human lifecycle controls fragmented. The practitioner implication is to unify review, evidence, and deprovisioning discipline across human and non-human identities.
From our research:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- From our research: The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- For teams hardening identity lifecycles, the NHI Lifecycle Management Guide shows how provisioning, rotation, and offboarding need to work together to stop stale access from surviving operational change.
What this signals
The broader signal for identity programmes is that verification campaigns only reduce risk when they are connected to a living lifecycle model. A one-time cleanse can expose fraud, but the control value comes from recurring reconciliation, exception governance, and removal discipline. That is why public-sector payroll and enterprise identity operations face the same structural challenge: records decay faster than most review cycles.
Identity confidence decay: the longer a record can survive without challenge, the more likely it is to drift away from the real-world status it is supposed to represent. For practitioners, that means designing controls around continuous status validation, not periodic ceremonial checks. Where identity is part of payment, access, or privilege, the consequence of delay is accumulated exposure, not just administrative noise.
For practitioners
- Reconcile payroll to authoritative HR status Link salary eligibility to a current employment record that must be confirmed before each payment cycle. Do not let payroll continue on legacy records when the underlying worker status changes.
- Add duplicate detection to verification workflows Check BVN, biometrics, and supporting documents against existing records before approval so one person cannot appear more than once under slight variations of name or identifier.
- Define an offboarding trigger for payment removal Remove payment eligibility immediately when resignation, retirement, suspension, or death is confirmed through the approved source of truth, and require manual exception approval for reinstatement.
- Retain evidence for audit and dispute handling Store verification outputs, timestamps, and reviewer decisions so investigators can reconstruct why a worker was approved or rejected during the campaign and in later audits.
Key takeaways
- Ghost worker fraud is an identity governance failure, not just a payroll problem, because stale records keep generating payments after the real employment relationship has ended.
- Multi-factor verification helps, but the control only holds when HR, payroll, and audit records are continuously reconciled against an authoritative source.
- The practical fix is lifecycle discipline: clear offboarding triggers, duplicate detection, and evidence retention that supports both remediation and audit.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63A | Identity proofing is central to ghost worker detection and duplicate prevention. |
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and entitlement validation support access and eligibility governance. |
| NIST SP 800-53 Rev 5 | IA-2 | Authentication and identity assurance are relevant where workers must prove who they are. |
| GDPR | Art.32 | Biometric and identity data handling requires appropriate safeguards when personal data is processed. |
Map payroll eligibility checks to PR.AC-1 and require authoritative identity validation before payment activation.
Key terms
- Ghost Worker: A ghost worker is a payroll identity that remains active and payable even though no eligible person should be receiving that salary. The risk is usually caused by weak offboarding, poor master-data hygiene, or manual exceptions that let stale records persist in payment systems.
- Identity Lifecycle Governance: Identity lifecycle governance is the set of processes that create, change, review, rotate, and revoke access across human and non-human identities. It matters because access risk usually increases when lifecycle events are slow, incomplete, or disconnected from the systems that rely on them.
- Authoritative Identity Source: An authoritative identity source is the system trusted to define who or what should have access. It is usually the HR system for workforce identities or another governed directory for technical identities, and its accuracy determines whether automation strengthens or weakens control.
What's in the full analysis
Seamfix's full article covers the operational detail this post intentionally leaves for the source:
- The exact Oyo State verification workflow, including how workers are enrolled and checked against BVN records.
- The Bioregistra capture model for fingerprints, portrait data, and supporting documents across desktop, mobile, and web components.
- How the exercise is intended to detect multiple registrations and remove ghost workers from payroll.
- The role of Sally Tibbot Consulting in the verification process and the stated implementation timeline.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, and secrets management in a practitioner-focused format. It helps security and identity teams connect lifecycle controls across human and non-human identity programmes.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org