Duplicate Candidates Incident Playbook: IDs, Merges, Audit Logs
A VP Talent Ops briefing on stopping duplicate records and identity drift by treating candidate identity like access management: deterministic IDs, merge policies, and immutable event logs.
A candidate record without a deterministic identifier is an ungoverned access token. Treat it that way and duplicates stop being "data issues" and start being preventable incidents.Back to all posts
What happens when one person becomes three candidates?
Recommendation: treat duplicates as an integrity incident, not a data cleanup task. When one individual exists as multiple candidate records, you create three failure modes at once: - SLA breakdown: interviews and assessments are scheduled against the wrong record, forcing reschedules and queue resets. - Audit liability: approvals are tied to the wrong profile, and the evidence cannot be reconstructed cleanly. - Fraud surface expansion: identity drift lets a bad actor "route around" controls by re-entering under a new email, name variant, or phone number. External indicators suggest this is not a corner case. Checkr reports 31% of hiring managers say they have interviewed a candidate who later turned out to be using a false identity. Pindrop reports 1 in 6 applicants to remote roles showed signs of fraud in one real-world pipeline. Duplicates and drift are the oxygen these scenarios need: fragmented records, fragmented controls, fragmented accountability.
WHY LEGACY TOOLS FAIL: Why the market still ships "matching" instead of identity
Recommendation: use deterministic identifiers and governed merge rules because fuzzy matching is not audit-ready. Legacy systems treat identity resolution as a convenience feature. In operator terms, that means: - Matching is probabilistic, but approvals are absolute. A decision without evidence is not audit-ready. - Integrations are vendor-to-vendor point solutions. They do not enforce idempotency, retries, and reconciliation at the workflow layer, so duplicates are guaranteed during outages and race conditions. - Rubric storage is tool-local. Even if you merge records in the ATS, interview notes and scores often remain attached to the wrong vendor record, creating tamper-resistant feedback gaps. Market stacks optimized for throughput create duplicates under load because "create new" is always the easiest API call. Without a deterministic Candidate Key and a merge policy, the system will pick speed over integrity every time.
OWNERSHIP & ACCOUNTABILITY MATRIX: Who owns identity, merges, and exceptions?
Recommendation: assign explicit owners and define the system of record per data element. Duplicates persist when ownership is "everyone and no one." Ownership model: - Recruiting Ops owns: candidate creation policy, required fields, merge workflow configuration, and reconciliation dashboards. - Security owns: identity gating policy, access control and retention, audit policy for evidence packs, and step-up verification triggers. - Hiring Manager owns: rubric discipline, score validation, and exception justification when evidence is incomplete. System of truth model: - ATS is the system of record for: canonical Candidate Key, stage changes, offer approvals, and final disposition. - Verification service is the system of record for: identity artifacts and integrity signals (liveness, face match, document auth) and their timestamps. - Interview and assessment platforms are systems of record for: raw interview artifacts and assessment telemetry, but must write back references and outcomes to the ATS using the Candidate Key. Automation vs manual review: - Automated: deterministic matching on Candidate Key inputs, idempotent create-or-update, auto-linking vendor records, and low-risk merges within strict rules. - Manual review: any merge that crosses risk tiers, any split request, any mismatch between identity verification results and ATS identity fields, and any merge affecting an in-flight offer.
Recruiting Ops (R): merge policy, exception queue SLAs, reconciliation job health.
Security (A): identity gate definition, evidence pack requirements, audit log retention.
Hiring Manager (C): rubric completeness and score disputes tied to merges.
Legal/Privacy (I): retention and consent language for identity artifacts.
MODERN OPERATING MODEL: What does an instrumented identity workflow look like?
Recommendation: instrument identity like secure access management. Identity gate before access, then orchestrate everything off events. Operating model checkpoints (answer-first): Integration patterns that matter in practice: - Idempotency keys: every "create candidate" call should be safe to retry without creating a second person. - Reconciliation jobs: nightly jobs that detect drift between ATS and vendor IDs and open a merge ticket rather than silently duplicating. - Conflict handling: when two systems claim different primaries, the ATS wins, and the event log records the arbitration. - Access expiration by default: interview links and assessment invites should auto-expire if a candidate is merged into another record or fails identity gate.
Create a deterministic Candidate Key early. Do it at source ingestion, not at offer stage.
Enforce identity gate before access to privileged steps. Privileged steps include live interviews, take-home links, coding assessments, and offer approvals.
Use event-based triggers instead of manual handoffs. Every create, link, merge, split, and exception should emit an event with timestamp, actor, and reason code.
Capture evidence automatically. The evidence pack should include the identity artifacts, tool IDs, merge decisions, rubric snapshots, and reviewer notes in one audit-ready chain.
Run segmented risk dashboards. Track duplicate-rate, time-to-merge, and exception backlog by source, recruiter, role family, and geo.
Duplicate-rate per 100 inbound leads (by source and recruiter).
Time-to-merge (p50, p95) from duplicate detection event.
Offer-stage merge count (should trend toward zero).
SLA breach rate for exception queue.
Number of vendor artifacts not linked to ATS Candidate Key (data silo indicator).
The control plane for identity and evidence
Recommendation: use IntegrityLens to anchor identity gating and evidence packs to a single ATS record so merges become governed, not improvised. IntegrityLens enables this operating model by: - Running biometric identity verification with liveness checks, face match, and document authentication as an identity gate before interviews and assessments. - Producing immutable evidence packs with timestamped logs and reviewer notes so merges and approvals remain audit-defensible. - Supporting risk-tiered funnels and step-up verification so low-risk candidates move fast while exceptions get routed to a review queue. - Keeping the ATS as the single source of truth by writing back identity status and evidence references, reducing data silos between sourcing and interviews. - Applying zero-retention biometrics architecture to reduce privacy exposure while preserving auditability through logs and evidence references.
ANTI-PATTERNS THAT MAKE FRAUD WORSE
Recommendation: do not "optimize for speed" by removing identity joins and merge governance. You will just move the delay to offer stage, where it is costlier. Exactly three things not to do: - Do not merge records based on recruiter judgment in DMs or spreadsheets. It creates an unlogged approval path and breaks audit readiness. - Do not use fuzzy matching as the only join key for scheduling interviews. It increases false joins and gives fraudsters a low-effort bypass. - Do not allow interview and assessment invites to be issued before a Candidate Key exists in the ATS. That is privileged access without identity gating.
IMPLEMENTATION RUNBOOK: Deterministic IDs, merge rules, and SLAs
Define the deterministic Candidate Key (Owner: Recruiting Ops, SLA: 5 business days) - Inputs: normalized email, normalized phone (E.164), and a government ID hash reference if identity verification is completed. - Rule: Candidate Key must be stable and immutable once assigned. You can update fields, but not re-key a person without a split event. - Evidence: policy doc in your ops repository, plus ATS field configuration showing it is required at creation.
Enforce "create-or-update" with idempotency (Owner: Recruiting Ops with Systems, SLA: 2 weeks) - Pattern: every inbound create from sourcing and forms uses an idempotency key derived from Candidate Key + source system. - Evidence: integration logs showing retry-safe behavior, and a daily report of create attempts vs new records.
Configure merge rules and an exception queue (Owner: Recruiting Ops, SLA: 1 week) - Auto-merge allowed when: same Candidate Key OR email + phone exact match AND no conflicting identity verification results. - Manual review required when: name mismatch with same phone, conflicting verification outcome, or any merge touching offer stage. - SLA: exception queue first response in 4 business hours; resolution in 24 business hours. Breaches page Recruiting Ops. - Evidence: each merge stores actor, timestamp, reason code, and linked artifacts.
Add step-up verification at privileged steps (Owner: Security, SLA: 2 weeks) - Gate: before live interview and before coding assessment. Typical end-to-end verification time is 2-3 minutes (document + voice + face), so it can be enforced without creating day-long delays when instrumented properly. - Evidence: identity verification event with timestamps and outcome, stored in the evidence pack.
Write back rubric snapshots and tool IDs to ATS (Owner: Recruiting Ops, SLA: 2-3 weeks) - Requirement: interview scores and assessment outcomes must reference the ATS Candidate Key. If a vendor record is linked to a merged candidate, all artifacts must be re-associated and logged. - Evidence: ATS-anchored audit trails showing tool record IDs, timestamps, and reviewer identity.
Reconciliation and monitoring (Owner: Analytics, SLA: ongoing) - Nightly reconciliation detects unlinked vendor artifacts, duplicate Candidate Keys, and drift between ATS and vendors. - Dashboard: duplicate-rate, time-to-merge p50 and p95, exception backlog, and offer-stage merge count. - Evidence: immutable event log exports and monthly audit samples.
4 business hours: exception queue first response.
24 business hours: exception queue resolution.
15 minutes: max time allowed for unlinked interview artifacts before an alert fires (prevents silent siloing).
Same day: any merge impacting an in-flight offer must be reviewed and approved by Recruiting Ops with Security consulted.
candidate.created, candidate.linked, candidate.merged, candidate.split
merge.reason_code and merge.evidence_refs
actor_id and reviewer_id for every manual action
timestamps for each state change (time-to-event analytics)
CLOSE: If you want to implement this tomorrow...
Recommendation: start by enforcing a single Candidate Key and making merges review-bound with logs. You can add step-up verification next without replatforming. Implementation checklist for tomorrow morning: - Make Candidate Key a required ATS field for any new candidate record. - Turn off "invite to interview" automation unless Candidate Key is present (identity gate before access). - Stand up a merge exception queue with a 4-hour first-response SLA and a 24-hour resolution SLA. - Require a reason code and evidence reference for every merge. If it is not logged, it is not defensible. - Add a daily reconciliation report: new candidates, suspected duplicates, merges completed, and vendor artifacts not linked to the ATS. - Run a weekly audit sample of 10 merges: verify timestamps, actor identity, and that rubric artifacts are attached to the surviving record. Business outcomes to expect when this is instrumented: - Reduced time-to-hire by removing offer-stage rework and rescheduling caused by drift. - More defensible decisions because approvals tie to a single evidence pack and a single chain of custody. - Lower fraud exposure because identity drift stops being an easy bypass lane. - Standardized scoring across teams because rubric artifacts stay attached to the correct candidate identity across tools.
Related Resources
Key takeaways
- Treat candidate identity as an identity gate before access to interviews and assessments.
- Use deterministic identifiers (not fuzzy match) to anchor a single candidate record across tools.
- Make merges a governed workflow with reviewer ownership, SLAs, and immutable event logs.
- Write merge outcomes back to the ATS to prevent data silos and rubric drift.
- Instrument reconciliation with time-to-event metrics and exception queues so speed does not create audit debt.
Use this as the enforceable policy your systems team can implement across sourcing ingestion, ATS creation, and interview scheduling.
It defines deterministic identifiers, auto-merge conditions, manual review triggers, SLAs, and required audit log fields.
policyVersion: 1.0
candidateIdentity:
canonicalKey:
name: candidate_key
generation:
# Deterministic, stable. Do not include mutable fields like current employer.
# Normalize inputs before hashing.
inputs:
- normalized_email
- normalized_phone_e164
algorithm: sha256
format: "ck_${sha256(normalized_email + '|' + normalized_phone_e164)}"
requiredBefore:
privileged_actions:
- issue_interview_link
- issue_coding_assessment
- move_to_offer_approval
mergePolicy:
autoMerge:
allowedWhen:
- condition: "candidate_key_exact_match"
- condition: "email_exact_match AND phone_exact_match"
forbiddenWhen:
- condition: "offer_stage_in_flight == true"
- condition: "identity_verification_conflict == true"
- condition: "any_system_reports_account_takeover_signal == true"
manualReview:
requiredWhen:
- condition: "name_mismatch AND phone_exact_match"
- condition: "identity_verification_missing AND privileged_action_requested == true"
- condition: "merge_affects_offer_stage == true"
sla:
firstResponse: "4h"
resolution: "24h"
owners:
primary: recruiting_ops
consult: security
logging:
immutableEventLog:
requiredEvents:
- candidate.created
- candidate.linked
- candidate.merged
- candidate.split
- identity.verified
- identity.failed
requiredFields:
- event_id
- event_type
- occurred_at_utc
- actor_id
- source_system
- ats_candidate_id
- candidate_key
- evidence_refs
- reason_code
reconciliation:
nightlyJob:
detects:
- unlinked_vendor_artifacts
- duplicate_candidate_keys
- conflicting_primary_records
onDetect:
action: "create_exception_ticket"
routeTo: recruiting_ops
Outcome proof: What changes
Before
Duplicates were discovered late during scheduling or offer approval. Merge decisions were made in ad hoc messages, and interview artifacts were attached to whichever record the interviewer happened to open.
After
A deterministic Candidate Key was required before privileged steps. Merges were governed with a review queue, reason codes, and immutable event logs. Interview and assessment artifacts were re-linked to the surviving ATS record automatically via Candidate Key reconciliation.
Implementation checklist
- Define a canonical Candidate Key and store it in the ATS as a required field.
- Block interview links and assessments until the Candidate Key is present (identity gate).
- Implement deterministic merge rules plus a manual exception queue with review-bound SLAs.
- Log every create, link, merge, and split as an immutable event with actor and timestamp.
- Reconcile tool-specific IDs (sourcing, interview, assessment) into a single evidence pack per candidate.
- Monitor duplicate-rate and time-to-merge by role, source, and recruiter.
Questions we hear from teams
- What is the minimum deterministic identifier set that works in practice?
- At minimum, use normalized email plus normalized phone (E.164) to generate a stable Candidate Key, and enforce it before issuing interview or assessment access. Add a verified government ID reference only after identity verification is completed, and treat it as a step-up signal rather than a universal requirement.
- How do we avoid bias or "robot rejection" risk when enforcing merge rules?
- Do not auto-reject based on match confidence. Use deterministic joins for identity, and route conflicts to a manual exception queue with review SLAs, required reason codes, and stored evidence. That governance is what keeps automation from turning into unreviewable adverse action.
- What breaks most often when we try to reconcile records across tools?
- Retries without idempotency, vendor-specific IDs not being written back to the ATS, and merges that do not re-associate historical artifacts. Fix these with create-or-update patterns, an ATS-anchored Candidate Key, and reconciliation jobs that open exceptions instead of silently duplicating.
- Where should we enforce identity verification in the funnel?
- Enforce it before privileged actions: live interviews, coding assessments, and offer approvals. Time delays cluster at moments where identity is unverified, so gating access at those moments reduces late-stage rework and improves auditability.
Ready to secure your hiring pipeline?
Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.
Watch IntegrityLens in action
See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.
