Evidence Packs as a Control: Code, Video, and Decisions
A CISO briefing on turning hiring signals into tamper-resistant evidence: what to log, who approves, and how to keep speed without losing audit defensibility.
A hiring decision without a timestamped evidence pack is an access grant you cannot defend.Back to all posts
Real Hiring Problem
Recommendation: Treat every hire like a privileged access request and require an evidence pack before offer and before onboarding access. Scenario: A new engineer passes a video screen and a coding test. Two weeks after start, Security investigates suspicious activity. Legal asks for the hiring record. You discover the "decision" is an email thread, the identity check is a screenshot, and reviewer notes are in Slack with no timestamps tied to the ATS candidate ID. Risk framing for a CISO: - Audit liability: you cannot reconstruct approver identity, decision timestamps, or the exact artifacts reviewed. - Legal exposure: a decision without evidence is not audit-ready, and exception handling without logs is indefensible. - Cost of mis-hire: SHRM cites replacement costs in the 50-200% of annual salary range depending on role. Your highest-risk roles are also your highest replacement-cost roles. - SLA breakdown: when evidence is scattered, review queues stall. Time-to-offer slips, offer-to-start fallout increases, and you still do not gain defensibility.
WHY LEGACY TOOLS FAIL
Recommendation: Stop asking tools to "integrate" and start requiring an ATS-anchored audit trail with immutable event logs and a unified evidence pack schema. Why the market failed to solve this: most ATS, background check, interview, and coding tools were built to complete a task, not to produce a defensible record of decision-making. They do not share a common event model, so you cannot prove ordering (what happened before what), nor can you enforce review-bound SLAs. Common failure mechanisms you can audit for: - Sequential checks that force waiting and increase manual handoffs. - No unified evidence packs. Artifacts exist, but are not assembled into a single, reviewable record tied to the candidate lifecycle. - No immutable event log across steps. You get screenshots, not tamper-resistant timestamps. - No standardized rubric storage. Scorecards drift by team, role, and reviewer. - Shadow workflows: Slack approvals, spreadsheet scoring, email exceptions. If it is not logged, it is not defensible.
OWNERSHIP & ACCOUNTABILITY MATRIX
Recommendation: Assign one owner per control, and make the ATS the system of record for state changes, while evidence packs aggregate artifacts from verifications, interviews, and assessments. Process ownership (operator model): - Recruiting Ops owns workflow design, routing, and SLA enforcement for review queues. - Security owns identity gating policy, fraud escalation thresholds, access control, and audit policy for evidence retention and retrieval. - Hiring Managers own rubric discipline, reviewer training, and final score justification in structured notes. - Analytics owns segmented risk dashboards, time-to-event reporting, and funnel leakage diagnostics. Automation vs manual review: - Automated: identity verification checks, fraud signal collection, assessment telemetry capture, evidence pack assembly, and policy gating on required events. - Manual: exception approvals, fraud escalations, rubric-based scoring notes, and dispute resolution outcomes. Sources of truth: - ATS is the system of record for candidate lifecycle state and approvals. - Verification and assessment services are sources of evidence. Their outputs must be written back into the ATS as immutable events and referenced in the evidence pack.
Hiring Manager: rubric score + structured justification note
Recruiting Ops: workflow completion attestation + SLA compliance
Security (conditional): fraud escalation decision and exception approval
MODERN OPERATING MODEL
Recommendation: Run hiring as an instrumented workflow where every access grant is gated by identity and backed by an evidence pack. Operating model components:
Identity verification before access: do not allow interview, assessment, or offer steps to proceed without an identity gate appropriate to the role risk tier.
Event-based triggers: each completion event (identity verified, assessment submitted, reviewer score logged) triggers the next step automatically, not via manual nudges.
Automated evidence capture: store code execution telemetry, plagiarism signals, interview metadata, and reviewer notes as part of a candidate-specific evidence pack.
Analytics dashboards: track time-to-event (verification complete, assessment reviewed, decision approved), SLA breaches, and risk signals together.
Standardized rubrics: store rubrics as versioned artifacts and require structured reviewer notes tied to rubric categories, not freeform text in side channels.
Who was the candidate, and how was identity verified (with timestamps)?
What work was submitted, and what telemetry indicates authenticity (code playback, execution events, plagiarism signals)?
Who reviewed what, when, and under which rubric version?
What exceptions were granted, by whom, and with what rationale?
WHERE INTEGRITYLENS FITS
Recommendation: Use IntegrityLens AI as the ATS-anchored control plane that assembles tamper-resistant evidence packs while keeping recruiting velocity through parallelized checks. IntegrityLens enables the workflow by: - Running AI coding assessments across 40+ languages with plagiarism detection and execution telemetry so reviewers can validate work based on evidence, not intuition. - Applying multi-layered fraud prevention signals including deepfake detection, proxy interview detection, behavioral signals, and device fingerprinting with continuous re-authentication where policy requires it. - Creating immutable evidence packs with timestamped logs, reviewer notes, and ATS write-backs so every decision is reconstructable. - Enforcing review-bound SLAs via instrumented queues so escalations are measurable and owned. - Supporting zero-retention biometrics architecture so you can retain proof without retaining unnecessary biometric payloads.
ANTI-PATTERNS THAT MAKE FRAUD WORSE
Recommendation: Remove ambiguity. Fraud scales in the gaps between tools and between owners. Do not do these three things: - Let reviewers score from memory. If notes are not captured as structured fields tied to rubric categories and timestamps, you cannot defend consistency or reconstruct decisions. - Allow "temporary" exceptions via Slack or email. Exceptions without an approver identity, reason code, and expiration create permanent audit liabilities. - Run checks in a waterfall. Sequential identity, interview, and assessment steps maximize delay and increase the chance of unverified access to interview links and code tests.
IMPLEMENTATION RUNBOOK
Candidate enters funnel (Source candidates) - Owner: Recruiting Ops - SLA: 4 business hours to route into correct risk tier - Logged: candidate ID creation, role risk tier, consent capture timestamp
Identity gate before access to interview and assessments - Owner: Security (policy), Recruiting Ops (operations) - SLA: verification completed in under 3 minutes for most candidates based on typical document + voice + face flows, with exceptions routed to review queue - Logged: liveness result, face match, document authentication result, verification start and end timestamps, reviewer decision if manual review occurs
Async screening interview (video) and metadata capture - SLA: invite within 2 hours of verification completion event; review within 24 business hours - Logged: interview session ID, start and end timestamps, identity re-auth result if required, interviewer rubric version, reviewer notes
Technical assessment with authenticity signals - Owner: Hiring Manager (rubric), Recruiting Ops (routing) - SLA: candidate completion window set by role; review within 48 business hours of submission - Logged: language, test version, code playback pointer, execution telemetry summary, plagiarism signal, reviewer score and notes
Decision and offer gate - Owner: Hiring Manager (decision), Security (conditional approval for escalations), Recruiting Ops (workflow) - SLA: decision within 24 business hours after last review completes - Logged: decision event, approver identity, time-to-decision, exception approvals with expiration by default
Evidence pack finalization and retention policy - Owner: Security (retention and retrieval), Legal (policy sign-off), Recruiting Ops (process compliance) - SLA: evidence pack generated immediately upon decision event and attached to ATS record - Logged: immutable evidence pack ID, hash or integrity marker, access logs for who viewed or exported the pack
CLOSE: IMPLEMENTATION CHECKLIST
Recommendation: If you want to implement this tomorrow, start by gating the offer step on evidence pack completeness and reviewer accountability. If you want to implement this tomorrow: - Define your evidence pack minimums per role risk tier (Security owns). - Turn rubrics into versioned artifacts and require structured reviewer notes (Hiring Manager owns; Recruiting Ops enforces). - Instrument time-to-event SLAs: verification complete, review complete, decision logged (Recruiting Ops owns; Analytics reports). - Block offers when required evidence is missing, or when exceptions lack approver identity and expiration (Security owns policy). - Stand up a dispute workflow: code playback and interview metadata are the first stop, not Slack history (Recruiting Ops owns). Business outcomes you can measure within weeks: - Reduced time-to-hire via parallelized checks and SLA-bound review queues. - Defensible decisions because every approval and exception is timestamped and attributable. - Lower fraud exposure by gating access on identity and capturing authenticity signals in code and video. - Standardized scoring across teams using stored rubrics and tamper-resistant reviewer notes.
Related Resources
Key takeaways
- Evidence packs convert hiring from a judgment call into an auditable access decision with timestamps, owners, and artifacts.
- If it is not logged, it is not defensible. Require immutable event logs for identity, interview, assessment, scoring, and exceptions.
- Parallelize identity verification and assessments, then gate reviewer access and offers on completion events and review SLAs.
- Standardized rubrics and reviewer notes reduce dispute resolution time because you can replay what happened, when, and who approved it.
Defines required evidence pack components before offer approval.
Enforces review-bound SLAs, exception approvals, and immutable logging requirements.
Designed for CISO-owned policy with Recruiting Ops execution.
policy:
name: offer-gate-evidence-pack
version: 1.0
scope:
applies_to: ["technical_roles", "remote_roles", "privileged_access_roles"]
role_risk_tiers:
low:
required:
- ats.candidate_id
- consent.timestamp
- interview.video.session_id
- interview.rubric.version
- interview.reviewer_notes.structured
- decision.approver
- decision.timestamp
medium:
required:
- identity.verification.liveness
- identity.verification.document_auth
- identity.verification.face_match
- assessment.code.playback_id
- assessment.execution.telemetry_summary
- assessment.plagiarism.signal
- review.sla_met
- exception.none_or_approved
high:
required:
- identity.verification.liveness
- identity.verification.document_auth
- identity.verification.face_match
- identity.reauth.on_interview_start
- identity.reauth.on_assessment_start
- fraud.signals.deepfake_check
- fraud.signals.proxy_interview_check
- fraud.signals.device_fingerprint
- assessment.code.playback_id
- assessment.execution.telemetry_summary
- assessment.plagiarism.signal
- reviewer.identity.bound_to_notes
- decision.two_person_rule
slas:
verification_review_queue:
owner: Security
target: "4h"
breach_action: "escalate_to_security_manager"
assessment_review:
owner: HiringManager
target: "48h"
breach_action: "auto-remind_then_reassign"
final_decision:
owner: HiringManager
target: "24h"
breach_action: "block_offer_until_logged"
exceptions:
allowed: true
approvers: ["Security", "Legal", "HeadOfTA"]
required_fields:
- reason_code
- approver_id
- timestamp
- expiration
expiration_default: "7d"
logging:
immutable_event_log: true
required_events:
- candidate.created
- consent.captured
- identity.verification.started
- identity.verification.completed
- interview.started
- interview.completed
- assessment.started
- assessment.submitted
- review.completed
- decision.logged
- offer.approved
- exception.approved
retention:
evidence_pack_metadata: "24m"
biometrics_payload: "zero-retention"
access_logs: "24m"Outcome proof: What changes
Before
Hiring artifacts were distributed across an ATS, a video tool, a coding tool, and Slack. Exceptions were granted in email. During a security review, the team could not reconstruct who approved several hires or which rubric version was used.
After
Offer approval was gated on evidence pack completeness. Reviewer notes were captured as structured fields tied to rubric versions. Identity verification occurred before interview access, and all state changes wrote into an immutable event log attached to the ATS record.
Implementation checklist
- Define the evidence pack schema (identity, code telemetry, video metadata, rubric, reviewer notes, approvals, exceptions).
- Assign owners and SLAs for every reviewable step.
- Instrument immutable event logs with timestamps and actor identity for every state transition.
- Block offer creation unless required evidence pack elements are present and approved.
- Create a dispute workflow that uses code playback and interview replay, not Slack recollections.
Questions we hear from teams
- What should be inside a hiring evidence pack?
- At minimum: identity verification results with timestamps, interview and assessment metadata, code authenticity signals (playback and execution telemetry), rubric version, structured reviewer notes, decision approver identity, and any exceptions with reason codes and expiration.
- Who should own evidence pack retention and access?
- Security should own retention and access policy because the evidence pack is part of access governance and audit response. Recruiting Ops should own day-to-day workflow adherence and SLA operations.
- How do evidence packs reduce time-to-hire instead of adding steps?
- By parallelizing checks and automating capture. Reviewers stop waiting for context because artifacts are assembled automatically, and escalations are routed to SLA-bound queues instead of ad hoc messages.
- How do you stay privacy-aligned while keeping auditability?
- Retain proof, not payload. Keep immutable event logs and verification outcomes, but use zero-retention biometrics so you do not store biometric artifacts longer than necessary.
Ready to secure your hiring pipeline?
Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.
Watch IntegrityLens in action
See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.
