Does pass-fail status give recruiters enough to operate?

Yes, if your workflow is instrumented. Recruiters need next-step eligibility and a timestamp, plus a clear path when status is REVIEW_IN_PROGRESS. Raw artifacts belong in a Security-owned exception lane.

How do you keep time-to-offer from slipping when Security owns reviews?

By treating identity review like an SLA-bound queue with alerts. Track time-in-queue and breaches by timestamp, then staff or tune step-up thresholds based on where delays cluster.

What should be stored for audits if you do not retain biometrics?

Store the evidence of the decision: verification status changes, timestamps, reviewer identity for exceptions, and the policy version in effect. The point is a defensible chain of custody without retaining unnecessary sensitive data.

Compliance-governance · Jan 8, 2026 · 10 minute read

Segregation of Duties for Candidate ID: Pass-Fail Only

A practical control model for separating recruiting velocity from sensitive identity data handling.

Rebecca Stein

General Counsel

Rebecca advises on global data privacy, biometric compliance, and employment law.

If recruiters need raw ID artifacts to move a candidate, the workflow is wrong. Fix sequencing, SLAs, and evidence capture not privacy policy language.

Back to all posts

1) HOOK: Real hiring problem

Picture the week before a critical launch. You have five open roles and a hard date. Recruiting is pushing for same-day scheduling, but Legal just flagged that recruiters can currently open raw ID images in a shared vendor portal. Meanwhile Security asks a simple question: "If legal asked you to prove who approved this candidate, can you retrieve it?" This is where segregation of duties stops being a policy memo and becomes an operational control. The failure modes are predictable: - Operational risk: identity review becomes a bottleneck, time-to-offer slips, and delays cluster at moments where identity is unverified. - Legal exposure: recruiters handling raw IDs and biometric artifacts expands the number of people in scope for biometric privacy obligations. If it is not logged, it is not defensible. - Cost of mis-hire: a replacement can cost 50-200% of annual salary depending on role and seniority, and the cost is usually paid in rework and missed delivery, not a clean line item. - Fraud risk: remote hiring pipelines are targeted. Pindrop reports 1 in 6 applicants to remote roles showed signs of fraud in one real-world pipeline. That is not a rounding error. That is a throughput problem and a control problem.

Speed without expanding sensitive data handling
A defensible chain of approval for exceptions and overrides
A predictable review queue so offers do not stall at the identity gate

2) WHY legacy tools fail

Most hiring stacks were not designed with segregation of duties as a first-class control. The market stitched together point solutions: an ATS here, a background portal there, a video interview tool somewhere else. Each tool solves a local problem and silently expands the blast radius of sensitive data access. Why the market failed to solve this: - Sequential checks slow everything down. Identity verification, interview scheduling, and assessment gating often run as a waterfall workflow. When identity is unresolved, everything waits. - No unified event log. You get screenshots, email threads, and vendor PDFs, not an immutable event log with timestamps and owners. - No evidence packs. Even when a vendor produces an output, it is not anchored to the candidate record with a tamper-resistant chain of custody. - No SLA-bound review queues. Manual review becomes tribal knowledge. There is no alerting when reviews breach a threshold. - Shadow workflows and data silos. Recruiters export IDs "just to move the process forward" and now you have uncontrolled copies, undefined retention, and no audit trail.

Recruiting cannot reliably answer "is this candidate cleared to proceed?"
Security cannot enforce least-privilege access to identity artifacts
Legal cannot demonstrate purpose limitation and controlled access

3) OWNERSHIP and accountability matrix

Segregation of duties only works if ownership is explicit and the system-of-record is unambiguous. Use this as the minimum viable operating model. Process ownership (who owns what): - Recruiting Ops owns workflow sequencing, SLA targets, and queue management. They decide where the identity gate sits and what downstream steps are blocked until it passes. - Security owns access control, identity policy, exception handling rules, retention controls, and audit export requirements. They decide who can view raw artifacts and for how long. - Hiring Managers own evidence-based scoring discipline. They should never need raw ID data to score capability. They need rubric outputs and assessment evidence. Sources of truth (single source of truth, not "whatever portal has it"): - ATS is the canonical record for candidate stage, disposition, and offer decisions. - Verification service is the canonical record for identity events, but must write back status to the ATS so recruiting can operate without artifact access. - Interview and assessment systems must write back scored evidence and timestamps, not free-text summaries. What is automated vs manually reviewed: - Automated: pass-fail gating, risk-tier assignment, time-stamped status write-backs, evidence pack generation. - Manual: exception review, ambiguous identity cases, and override approvals, all within SLA and with reason codes.

Recruiters can act on a status. Only Security-approved reviewers can access raw artifacts.

4) MODERN operating model

Treat hiring like secure access management. Identity is the gate before access to privileged steps: live interviews, coding environments, and ultimately payroll and system access. An instrumented workflow looks like this: - Identity verification before access. Candidates pass an identity gate before synchronous interviews or assessments that could be proxied. - Event-based triggers. When identity is verified, downstream steps trigger automatically. When it fails or is ambiguous, it routes to a review queue with an SLA. - Automated evidence capture. Every decision produces an evidence pack: timestamps, inputs, outputs, reviewer notes, and reason codes. - Analytics dashboards. Track time-to-event across identity, interview, assessment, offer. Segment by risk tier and by where overrides cluster. - Standardized rubrics. Hiring Manager scoring is stored as structured evidence tied to the candidate record, not as a comment in a calendar invite. This is how you preserve recruiting velocity while shrinking the number of humans who can touch sensitive ID data.

Minimize access: pass-fail only for recruiters
Minimize retention: keep biometric artifacts zero-retention where possible, store only necessary proofs
Minimize copies: evidence packs, not email attachments

5) WHERE IntegrityLens fits

IntegrityLens AI acts as the control plane between Recruiting and Security so you can enforce segregation of duties without slowing the funnel. - Runs biometric identity verification with liveness, face match, and document authentication as an identity gate before privileged steps. - Writes back a simple status to the ATS so recruiters operate on pass-fail and timestamps, not raw artifacts. - Generates immutable evidence packs with time-stamped logs and reviewer notes for audits and incident response. - Supports fraud prevention signals like deepfake and proxy interview detection to reduce downstream interview waste. - Enables privacy-forward handling patterns, including zero-retention biometrics, to reduce the compliance surface area.

Recruiters: status, timestamp, and next-step eligibility
Security reviewers: artifacts and rationale only when policy allows

6) ANTI-patterns that make fraud worse

Do not do these three things, even if they feel like short-term speed hacks: - Give recruiters raw ID access "just in case". This expands legal exposure and creates uncontrolled copies. - Allow overrides without reason codes and named approvers. A decision without evidence is not audit-ready. - Run identity checks after interviews to avoid friction. You waste interviewer hours on unverified identities and invite proxy behavior upstream.

You cannot prove purpose limitation or access minimization
You cannot reconstruct who approved exceptions
You cannot explain why time delays cluster at unverified identity stages

7) IMPLEMENTATION runbook (with SLAs, owners, evidence)

Define access roles and default-deny (SLA: 2 business days to implement) - Owner: Security - What happens: create roles: Recruiter (status-only), Hiring Manager (rubric-only), Security Reviewer (artifact access), Recruiting Ops Admin (workflow admin, no artifact access by default). - What gets logged: role assignments, policy version, effective timestamp.

Place the identity gate before privileged steps (SLA: immediate once configured) - Owner: Recruiting Ops - What happens: candidate cannot be scheduled for live interview or launched into a coding assessment until verification status is Pass or Step-up Required is resolved. - What gets logged: gate evaluated at each stage transition, outcome, timestamp.

Configure risk-tiered verification (SLA: 1 week) - Owner: Security with Recruiting Ops input - What happens: low-risk candidates go through standard verification. Higher-risk signals trigger step-up verification or manual review. Recruiters still see only pass-fail and next-step eligibility. - What gets logged: risk tier assignment, triggering signals, step-up requests.

Create an SLA-bound review queue for exceptions (SLA: 48 hours after go-live) - What happens: ambiguous cases route to a Security queue with an SLA (for example, 4 business hours during recruiting peaks). Breaches alert Recruiting Ops. - What gets logged: time-in-queue, reviewer, decision, reason codes, attachments referenced in evidence pack.

Standardize hiring rubrics and store as evidence (SLA: 2 weeks) - Owner: Hiring Manager with Recruiting Ops enforcement - What happens: structured rubrics are required to move stages. No free-text-only decisions. - What gets logged: rubric version, scores per dimension, timestamp, scorer identity.

Generate evidence packs and anchor them to the ATS record (SLA: ongoing, automated) - Owner: Recruiting Ops for workflow, Security for audit export - What happens: every candidate gets a single evidence pack: identity events, interview events, assessment evidence, overrides, approvers. - What gets logged: evidence pack generation event, hash or unique ID, export events.

Monitor time-to-event and override rates (SLA: weekly ops review) - Owner: Analytics with CPO sponsorship - What happens: dashboard shows time-to-verify, time-in-review-queue, override frequency by team, and where offers stall. - What gets logged: dashboard snapshots, remediation actions, policy changes.

Related Resources

Key takeaways

Treat identity artifacts like privileged access. Recruiters need a pass-fail gate, not raw ID images.
Make the control auditable: immutable event logs, evidence packs, and named approvers.
Use step-up verification and risk-tiered funneling to keep time-to-offer stable without widening access.
If it is not logged, it is not defensible. Build SLA-bound review queues and timestamped decisions.

Segregation of Duties Policy: Candidate Identity ArtifactsYAML policy

Defines who can view raw identity artifacts versus pass-fail status, with required logging and override controls.

Use as a starting point for Security to implement least-privilege access and for Recruiting Ops to validate workflow compatibility.

version: "2026-01-08"
policy_id: "sod-candidate-id-001"
scope:
  systems:
    - "ATS"
    - "IdentityVerification"
  data_classes:
    - "raw_id_document_image"
    - "biometric_template_or_frame"
    - "verification_decision_status"
roles:
  recruiter:
    can_view:
      - "verification_decision_status"
    cannot_view:
      - "raw_id_document_image"
      - "biometric_template_or_frame"
  hiring_manager:
    can_view:
      - "verification_decision_status"
      - "assessment_evidence_summary"
      - "rubric_scores"
    cannot_view:
      - "raw_id_document_image"
      - "biometric_template_or_frame"
  security_reviewer:
    can_view:
      - "verification_decision_status"
      - "raw_id_document_image"
      - "biometric_template_or_frame"
    constraints:
      - "access_requires_ticket_id"
      - "access_expires_minutes: 30"
      - "no_download: true"
controls:
  writeback:
    to_ats:
      fields:
        - "verification_status: PASS|FAIL|STEP_UP_REQUIRED|REVIEW_IN_PROGRESS"
        - "verification_completed_at"
        - "review_queue_sla_breached: true|false"
  overrides:
    allowed: true
    requires:
      - "reason_code"
      - "approver_role: security_reviewer"
      - "approver_identity"
      - "timestamp"
  logging:
    immutable_event_log: true
    events_required:
      - "role_granted"
      - "artifact_accessed"
      - "verification_status_changed"
      - "override_requested"
      - "override_approved_or_denied"
      - "evidence_pack_generated"
    retention_days: 365
privacy:
  biometrics:
    zero_retention: true
  purpose_limitation:
    permitted_use: "identity_verification_for_hiring_only"

Outcome proof: What changes

Before

Recruiters could access raw ID images in a vendor portal. Exceptions were handled in email and Slack. Offer approvals lacked a consistent chain of custody.

After

Recruiters operate on pass-fail status and timestamps in the ATS. Security reviewers handle exceptions in an SLA-bound queue. Evidence packs are generated per candidate and exported for audit on demand.

Governance Notes: Legal and Security signed off because access was minimized by role, artifact viewing was time-bounded with access expiration by default, and every access and override produced an immutable event log entry plus an ATS-anchored evidence pack. This supports purpose limitation and makes exception handling reconstructible during audits.

Implementation checklist

Recruiters see only verification status and timestamp, not raw documents or biometric artifacts.
Security owns access policy, retention rules, and audit export readiness.
Recruiting Ops owns workflow sequencing and SLA instrumentation.
Hiring Managers own rubric discipline and evidence-based scoring.
All overrides require a reason code and are time-stamped with an approver.
Evidence packs are generated per candidate and stored ATS-anchored.

Questions we hear from teams

Does pass-fail status give recruiters enough to operate?: Yes, if your workflow is instrumented. Recruiters need next-step eligibility and a timestamp, plus a clear path when status is REVIEW_IN_PROGRESS. Raw artifacts belong in a Security-owned exception lane.
How do you keep time-to-offer from slipping when Security owns reviews?: By treating identity review like an SLA-bound queue with alerts. Track time-in-queue and breaches by timestamp, then staff or tune step-up thresholds based on where delays cluster.
What should be stored for audits if you do not retain biometrics?: Store the evidence of the decision: verification status changes, timestamps, reviewer identity for exceptions, and the policy version in effect. The point is a defensible chain of custody without retaining unnecessary sensitive data.

Ready to secure your hiring pipeline?

Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.

Try it free Book a demo

Watch IntegrityLens in action

See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.