Fraud-intelligence · Dec 27, 2025 · 17 minute read

Deepfake Defense: Liveness, Devices, Telemetry Runbook

Deepfakes and proxy test takers do not break hiring because teams lack intent. They break hiring because identity gates are missing, signals are unlogged, and escalations have no S

Michael O’Connell

Head of Trust & Safety

Michael runs red teams and fraud defense strategy for high-stakes hiring pipelines.

Identity is a gate before access. If the gate is late or unlogged, every downstream decision becomes harder to defend.
Back to all posts

Real hiring problem

A remote engineering req is in final stages. The candidate cleared the coding assessment and video interview. The offer packet is drafted. Then Security asks a basic access-management question: "Who did we actually verify before granting interview and assessment access?" Recruiting Ops scrambles through emails and vendor portals to reconstruct identity artifacts. The review queue is unowned, the SLA clock keeps running, and the hiring manager escalates because time-to-offer is slipping. Operational risk: an unverified identity entering late stages forces rework and stalls approvals. Legal exposure: without a time-stamped chain of custody, you cannot prove who approved the hire or what evidence was used. Cost of mis-hire: replacement cost estimates can be 50-200% of annual salary depending on role. Fraud risk is no longer theoretical: Checkr reports 31% of hiring managers have interviewed someone who later turned out to be using a false identity, and Pindrop observed 1 in 6 remote applicants showing signs of fraud in one pipeline. Your job as Director of Recruiting Ops is to keep velocity without creating an integrity liability. The way out is not "more tools". It is an instrumented workflow: identity gating before access, independent fraud signals, and an audit-ready evidence pack per candidate.

WHY legacy tools fail

Most hiring stacks were assembled to move candidates forward, not to control access. That is why deepfakes, replays, and proxy test takers create chaos: Legacy patterns break in the same places: sequential checks that happen after reviewer time is spent, no immutable event log to reconstruct what happened, no unified evidence packs that connect identity to performance, no review-bound SLAs so escalations stall, and no standardized rubric storage so decisions live in shadow workflows. The market failure is structural. Background checks are post-offer. Interview platforms optimize scheduling. Coding vendors optimize question delivery. Your ATS tracks stages but cannot enforce identity gates across tools. The result is data silos and defensibility gaps. If it is not logged, it is not defensible.

OWNERSHIP and accountability matrix

Assign owners before you add detection. Otherwise, anomalies become arguments. Recruiting Ops owns workflow: stage design, identity gate placement, SLA enforcement, escalation routing, and ATS write-backs as the single source of truth for candidate state. Security owns control policy: risk tiers, device and telemetry thresholds, audit policy, retention controls, and sign-off requirements for high-risk roles. Hiring Manager owns decision discipline: rubric adherence, scoring quality, re-test approval, and written rationale tied to evidence. Automation vs manual review: automation handles liveness, device fingerprint changes, and telemetry thresholds. Manual review is reserved for step-up verification and disputes, with explicit SLAs so controls do not become the bottleneck. Systems of truth: ATS for lifecycle and decisions. Verification layer for identity outcomes and evidence packs. Interview and assessment layers write structured results and telemetry summaries back into the ATS record.

What is IntegrityLens

MODERN operating model

Run hiring like privileged access. Candidates should not get interview or assessment access until they pass the identity gate required for the role risk tier. Instrument the workflow with event-based orchestration: device change triggers step-up verification, replay indicators trigger re-authentication, behavioral shifts trigger a supervised re-test path. Every trigger writes a time-stamped event. Automate evidence capture into an evidence pack: document auth outcome, liveness result, face match, device fingerprint history, telemetry summary, reviewer notes, and final disposition with approver identity. Operate with dashboards that combine speed and risk: time-to-event from invite to verify, anomaly-to-resolution SLA adherence, and late-stage reversal counts. Measure by timestamps, not anecdotes. Standardize rubrics and store them alongside integrity signals. The goal is evidence-based scoring with ATS-anchored audit trails.

WHERE IntegrityLens fits

IntegrityLens AI provides the control plane that turns fraud defenses into an ATS-anchored operating model instead of scattered vendor tasks: - Biometric identity verification with liveness, document authentication, and face matching, used as an identity gate before access. - Multi-layered fraud prevention using deepfake detection, behavioral telemetry, device fingerprinting, and continuous re-authentication across stages. - AI-powered screening interviews available 24/7 with structured rubrics and behavioral signal capture that writes back to the candidate record. - Immutable evidence packs and compliance-ready audit trails for reviewer accountability and defensible approvals. - Parallelized checks and event-based triggers so fraud controls do not force waterfall delays.

ANTI-PATTERNS that make fraud worse

  • Moving identity verification to post-offer. This guarantees reviewer time is spent on unverified identities and creates late-stage reversals that break SLAs. - Allowing assessment retakes without linking sessions to identity and device evidence. This opens a replay lane and makes investigations non-defensible. - Treating anomaly flags as accusations instead of step-up triggers. Poor false positive management increases legal exposure and damages defensibility.

IMPLEMENTATION runbook

Build a fast path and a review path, each with explicit SLAs and owners. Use the YAML policy artifact in this article as the workflow contract between Recruiting Ops and Security. Enforce it through stage gates and review-bound SLAs so fraud defense is continuous, not a one-time firewall.

  1. Risk-tier assignment at application stage - Owner: Recruiting Ops - SLA: immediate at stage entry - Evidence: role tier, required gates, timestamp.

  2. Pre-interview identity gate - Owner: Security defines policy, Recruiting Ops enforces - SLA: completion within 24 hours; typical verification time 2-3 minutes (document + voice + face), under 3 minutes before interview starts - Evidence: liveness, document auth, face match outcomes, timestamps, evidence pack link.

  3. Time-bound access issuance - Owner: Recruiting Ops - SLA: within 5 minutes of pass - Evidence: access issued and expiration timestamp bound to verified identity.

  4. Telemetry monitoring during interview - Owner: Security signals, Recruiting Ops queue health - SLA: anomaly raised within minutes - Evidence: capture anomalies, voice mismatch indicators, device/network changes logged as events.

  5. Assessment with device binding - Owner: Security policy, Hiring Manager bar, Recruiting Ops orchestration - SLA: invite within 10 minutes post-interview; completion window 48 hours - Evidence: device fingerprint, execution telemetry, plagiarism flags, time-on-task.

  6. Step-up verification on triggers - Owner: Security triggers, Recruiting Ops routing - SLA: first response 4 business hours; resolution 1 business day - Evidence: trigger reason, reviewer notes, disposition (clear, re-test, fail), notification timestamp.

  7. Final decision - Owner: Hiring Manager decides, Recruiting Ops ensures evidence completeness, Security sign-off for high risk - SLA: within 24 hours - Evidence: rubric scores, rationale, approver identity, evidence pack attached.

CLOSE: Implementation checklist

If you want to implement this tomorrow: - Create 3 risk tiers and map each to required identity gates and step-up triggers. - Put identity gating before interview and assessment access for medium and high risk roles. - Bind access links to verified identity and expire access by default. - Stand up an escalation queue with named owners and SLAs. Track SLA breaches as an ops metric. - Require an evidence pack for every final disposition. No evidence pack means no decision. - Build dashboards that show time-to-event and anomaly-to-resolution, segmented by role tier and region. Business outcomes: reduced time-to-hire through parallelized checks, defensible decisions through ATS-anchored audit trails, lower fraud exposure through continuous re-authentication, and standardized scoring across teams because rubrics and integrity signals live together.

Related Resources

Key takeaways

  • Treat interviews and assessments like privileged access. Identity gating is a control, not a courtesy.
  • Defense in depth requires three independent signal classes: biometric liveness, device integrity, and behavioral telemetry.
  • If it is not logged, it is not defensible. Your goal is an evidence pack per candidate, not a gut-feel decision.
  • False positive management is part of the control. Step-up verification protects legitimate candidates from bad flags.
  • Measure time-to-event and SLA breaks at the identity gate and escalation queue, not just time-to-hire averages.
Risk-tiered identity and fraud trigger policyYAML policy

Use this as a workflow contract between Recruiting Ops and Security.

Defines required gates, step-up triggers, review SLAs, and evidence pack minimums per risk tier.

Designed to keep a fast path for low risk candidates and a review path that is owned, time-bound, and auditable.

risk_tiered_identity_policy:
  version: "1.0"
  owner:
    recruiting_ops: "workflow + SLA enforcement"
    security: "policy + thresholds + audit"
    hiring_manager: "rubric + decision rationale"
  tiers:
    low:
      required_gates:
        - baseline_identity_gate
      step_up_triggers:
        - device_fingerprint_change
        - replay_suspected
      review_sla:
        first_response_hours: 8
        resolution_hours: 48
    medium:
      required_gates:
        - baseline_identity_gate
        - interview_reauth_gate
      step_up_triggers:
        - face_mismatch_to_id
        - voice_mismatch
        - multiple_failed_liveness_attempts
        - device_fingerprint_change
      review_sla:
        first_response_hours: 4
        resolution_hours: 24
    high:
      required_gates:
        - baseline_identity_gate
        - interview_reauth_gate
        - assessment_reauth_gate
      step_up_triggers:
        - proxy_suspected_behavioral_shift
        - replay_suspected
        - geolocation_impossible_travel
        - repeated_session_restarts
      review_sla:
        first_response_hours: 2
        resolution_hours: 8
  evidence_pack_minimum:
    - immutable_event_log_timestamps
    - liveness_result
    - document_auth_result
    - face_match_result
    - device_fingerprint_history
    - behavioral_telemetry_summary
    - reviewer_notes_if_any
    - final_disposition_and_approver

Outcome proof: What changes

Before

Identity checks happened after interviews, anomalies were handled in email, and re-test decisions were not time-stamped. Recruiting Ops could not reliably reconstruct who approved what evidence.

After

Risk-tiered identity gating moved to pre-interview, step-up verification triggered on device and behavioral anomalies, and every escalation wrote to an ATS-anchored audit trail with an evidence pack.

Governance Notes: Security and Legal signed off because the workflow produced tamper-resistant, time-stamped evidence packs without relying on inbox threads, and biometric handling could be configured with zero-retention biometrics while retaining audit logs of outcomes and approver actions.

Implementation checklist

  • Define risk tiers and step-up verification triggers before you turn on detection.
  • Make Recruiting Ops the workflow owner, Security the policy owner, and Hiring Managers the rubric owner.
  • Require a pre-interview identity gate for any role with access to production data, code, or customer PII.
  • Log every verification, device change, and anomaly as an immutable event with timestamps.
  • Set SLAs for manual review so fraud controls do not become the new bottleneck.
  • Standardize escalation outcomes (clear, step-up, fail, re-test) and require evidence notes for each.

Questions we hear from teams

How do we avoid false positives when a deepfake or proxy signal triggers?
Treat every anomaly as a step-up trigger, not an accusation. Route to a time-bound manual review queue, require reviewer notes, and resolve via re-authentication or a supervised re-test. Log the trigger, the reviewer, and the disposition in the evidence pack.
Where should liveness checks sit to protect time-to-offer?
Before interview and assessment access for medium and high risk roles. That is the earliest point where you can prevent reviewer time waste and avoid late-stage reversals that break SLAs.
What metrics should Recruiting Ops report to prove the control is working?
Time-to-event from invite to verification completion, anomaly-to-resolution SLA adherence, step-up verification rate by risk tier, and late-stage reversal counts. All should be derived from stage timestamps in the immutable event log.

Ready to secure your hiring pipeline?

Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.

Try it free Book a demo

Watch IntegrityLens in action

See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.

Related resources