TL;DR: Identity governance is moving earlier in the lifecycle, where trust decisions are harder to reverse, as JumpCloud’s new venture arm backs early-stage identity, security, AI, and IT productivity startups, with its first investment in Tofu, a company focused on identity fraud in hiring and onboarding, a risk that begins before login and grows with remote work.
NHIMG editorial — based on content published by JumpCloud: New investment arm reflects JumpCloud’s commitment to building a more secure and productive tech ecosystem
By the numbers:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should security teams prevent identity fraud during hiring and onboarding?
A: Security teams should place verification controls before account creation, not after.
Q: Why does hiring fraud create IAM risk before a user logs in?
A: Hiring fraud creates IAM risk before login because the organisation may already have accepted the candidate as a trusted identity.
Q: What do organisations get wrong about identity checks in remote onboarding?
A: Many organisations treat remote onboarding as a documentation problem instead of an assurance problem.
Practitioner guidance
- Insert identity verification before account creation Require stronger evidence checks before an onboarding workflow can create accounts, issue credentials, or assign system access.
- Map hire-to-access trust handoffs Document where candidate identity, employment identity, and access identity are transferred between HR, IAM, and IT systems.
- Review remote onboarding for impersonation exposure Examine workflows that rely on uploaded documents, asynchronous approvals, or limited live interaction.
What's in the full analysis
JumpCloud's full article covers the operational detail this post intentionally leaves for the source:
- The company rationale for launching JumpCloud Ventures and why identity, security, AI, and IT productivity are grouped together.
- Background on the first investment in Tofu and how the startup frames identity fraud in hiring.
- The founder commentary on remote work, trust, and where identity risk begins earlier in the employee lifecycle.
- The broader context for JumpCloud's view of secure workforce identity across humans and autonomous AI agents.
👉 Read JumpCloud’s announcement on its new venture arm and first investment →
Identity fraud in hiring: what this means for IAM teams?
Explore further
Identity fraud in hiring is a lifecycle control problem, not a recruitment edge case. The article points to a failure that starts before account issuance, which means identity programmes cannot treat recruiting as outside the IAM perimeter. Once candidate trust is assumed, downstream access decisions inherit that assumption. Practitioners should treat hiring as the first identity governance gate, not a separate business process.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often identity governance fails when ownership and oversight are incomplete.
A question worth separating out:
Q: How can IAM, HR, and security share responsibility for hire-to-access risk?
A: IAM, HR, and security should define who owns identity assurance before access is granted, who approves exceptions, and what evidence is required for different entitlement levels. That shared model prevents each team from assuming another already validated the candidate. The goal is one governance chain from recruitment to provisioning.
👉 Read our full editorial: JumpCloud Ventures signals early identity fraud risk moving left