TL;DR: Deepfake impersonation and GenAI are making it easier for threat actors to pass as credible job candidates, and Proofpoint argues that the riskiest window is often the first 90 days after hire, when inherited access, limited visibility, and weak cross-functional escalation can combine. The governance gap is not hiring alone, but identity verification, access gating, and monitoring that assume the person who interviewed is the person who starts work.
NHIMG editorial — based on content published by Proofpoint: new-hire impersonation and insider-risk controls
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
Questions worth separating out
Q: What breaks when candidate identity is not verified strongly enough in hiring?
A: Weak verification breaks trust at the point where identity becomes access.
Q: Why do inherited rights increase insider-risk during onboarding?
A: Inherited rights increase risk because they copy access from a predecessor without re-testing need, sensitivity, or timing.
Q: How do security teams know if first-90-day monitoring is working?
A: It is working when the organisation can spot abnormal access, unusual data movement, or identity inconsistencies early enough to intervene before trust is established.
Practitioner guidance
- Require layered candidate verification Use live challenge questions, corroborated employment history, and documented approval before a candidate passes to final-stage interviews.
- Break automatic hereditary rights for sensitive roles Prevent inherited access from becoming the default for new hires.
- Place new hires into enhanced monitoring for 90 days Tag the account as high-risk during the early employment window and monitor for unusual downloads, privilege use, and access to data outside the role.
What's in the full article
Proofpoint's full blog covers the operational detail this post intentionally leaves for the source:
- Practical interview-stage verification tactics for spotting deepfake-assisted candidate impersonation
- Step-by-step onboarding controls for gating inherited rights until training thresholds are met
- Monitoring patterns for the first 90 days, including how to flag suspicious behaviour early
- Collaboration points between HR, security, and IAM when a candidate identity does not add up
👉 Read Proofpoint's analysis of deepfake-enabled new-hire insider risk →
New-hire impersonation and first-90-day risk: what should teams do?
Explore further
Deepfake-enabled hiring is an identity verification failure, not just an HR screening issue. The article shows how remote hiring, GenAI, and candidate facades reduce the reliability of first-pass judgement. That shifts the governance burden toward stronger verification, because visual presence and fluent answers no longer prove identity. Practitioners should treat candidate authenticity as a control domain, not an intuition test.
A question worth separating out:
Q: Who should be accountable when a fraudulent hire gets access?
A: Accountability should sit jointly with HR and security leadership because the control failure spans recruitment, identity proofing, and access governance. The practical answer is a shared decision path for offer, hire, and access issuance, with clear escalation when identity assurance is incomplete.
👉 Read our full editorial: New-hire impersonation is exposing a gap in insider risk controls