TL;DR: Identity verification in hiring is moving from manual review to automated checks that combine phone, email, document, and selfie liveness signals, according to Incode. The governance challenge is no longer speed versus security, but whether hiring workflows can verify people without creating blind spots in fraud prevention or candidate record integrity.
NHIMG editorial — based on content published by Incode: Incode Named Winner of the Fall 2025 You Did WHAT With Tines?! Awards
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
Questions worth separating out
Q: How should organisations govern candidate identity verification in hiring workflows?
A: Organisations should treat candidate verification as a governed onboarding control, not a recruiter-only task.
Q: Why do deepfakes and impersonation attempts complicate hiring security?
A: Deepfakes and impersonation attempts weaken the assumption that a candidate record corresponds to a real person.
Q: What breaks when candidate verification is kept outside the ATS or HR system?
A: When verification sits outside the authoritative record, recruiters and downstream systems may still act on stale or incomplete information.
Practitioner guidance
- Embed identity proofing at defined hiring stages Map verification checkpoints to application, interview, and final onboarding stages so candidate assurance increases before any downstream employment or access decision is made.
- Write verification outcomes into the candidate record Ensure verified status, evidence, and failure states are stored in the system of record so recruiters and security teams operate on the same authoritative identity state.
- Treat deepfake resistance as a policy control Set escalation rules for failed liveness checks, repeated retries, and exceptions, then require human review only for defined edge cases rather than every case.
What's in the full article
Incode's full post covers the operational detail this post intentionally leaves for the source:
- Workflow logic for moving from lightweight screening to full document and selfie verification.
- The exact Greenhouse record updates used to preserve verified status, ID images, and selfie evidence.
- How the hiring workflow branches on verification success or failure without manual intervention.
- The award context and submission details behind the Tines Fundamentals recognition.
👉 Read Incode's analysis of automated candidate verification in hiring workflows →
Candidate verification automation in hiring: are your controls keeping up?
Explore further
Candidate verification is becoming an identity governance control, not a recruiting convenience. Once identity proofing is embedded inside the hiring workflow, the question is no longer whether recruiters can move faster. The question is whether the organisation can trust the candidate record well enough to use it as a security boundary. That places workforce onboarding squarely inside IAM, IGA, and fraud prevention design. The practitioner implication is that hiring workflows now need assurance levels, not just process efficiency.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when a fraudulent applicant passes identity verification?
A: Accountability sits across HR, security, and identity governance because candidate verification is now part of the onboarding control plane. HR owns the process, security owns the assurance requirements, and IAM owns how verified status influences provisioning and access. If any of those are disconnected, the organisation cannot prove who approved the risk.
👉 Read our full editorial: Candidate verification automation is reshaping hiring identity controls