Our Take
HR and security have become the same problem: North Korean operatives are now indistinguishable from candidates until they're inside your network, and annual phishing training won't catch them.
Why it matters
The 2026 Verizon Data Breach Investigations Report found North Korean IT worker schemes may have used 15,000 stolen identities to infiltrate organizations remotely. For CHROs and security leaders, this means hiring and insider risk are no longer separate domains.
Do this week
Security: Audit your remote technical hiring pipeline this week and implement live identity validation (geolocation checks, device consistency, payroll banking verification) before the next hire cycle so you can close the identity gap.
State-sponsored hiring infiltration is now routine
Verizon's 2026 Data Breach Investigations Report analyzed more than 31,000 incidents and 22,000 confirmed breaches. Among its findings: North Korean IT worker operations deployed coordinated teams using stolen identities, remote hiring pipelines and laptop farms run by local accomplices. The report estimates these operations may have used approximately 15,000 possible identities (per Verizon).
The mechanics mirror legitimate recruiting. Attackers submit polished resumes, perform well in technical interviews and complete remote onboarding without raising flags. The difference: they are state actors using synthetic identities, stolen credentials and AI-enhanced documentation.
Third-party supply chain breaches jumped 60% and now account for 48% of all incidents (per the 2026 DBIR). Many infiltrations exploit subcontractors and fast-tracked technical recruiting pipelines where identity validation is weakest.
Why traditional background checks fail
According to Ensar Seker, chief information security officer at SOCRadar, a threat intelligence firm, conventional background checks cannot detect synthetic identities or AI-assisted documentation. The attack surface has expanded from cybersecurity into workforce integrity.
The fix requires multi-layered verification: live identity validation during interviews, device and geolocation consistency checks, payroll banking verification and tighter contractor onboarding. Post-hire behavioral monitoring matters equally. Red flags include unusual working hours, unexpected VPN patterns and attempts to access repositories or collaboration tools beyond assigned scope.
AI-assisted social engineering now outpaces awareness training
The volume of AI-assisted text in malicious emails has doubled (per the 2026 DBIR). Attackers no longer send recognizable phishing templates. Instead, employees face AI-generated voice calls, deepfake executives, synthetic recruiters and real-time social engineering designed to create urgency and bypass critical thinking.
Annual phishing videos are insufficient. Employees need training in verification discipline, not just suspicion. This means teaching staff to slow down high-pressure requests, independently verify sensitive actions through secondary channels and recognize manipulation tactics involving urgency, authority or fear.
HR and finance teams are high-value targets because they control compensation data, direct deposit information and identity documents. Continuous micro-training and live simulations built around actual attack scenarios (fake Teams calls, AI voice messages, payroll scams, multifactor fatigue attacks) are more effective than generic awareness programs.
Shadow AI is the third-ranked insider risk
Employee use of unapproved AI tools tripled in one year, rising from 15% to 45% of the workforce (per the 2026 DBIR). Shadow AI is now the third most common non-malicious insider action detected in data loss prevention systems, a fourfold increase year-over-year.
The most commonly uploaded data type by a significant margin is source code. Research and technical documentation appeared in 3.2% of those policy violations (per the report). Intellectual property is walking out the door faster than organizations can govern it.
Blanket bans fail because employees use prohibited AI at work anyway. The effective path is clear usage policies defining what data can and cannot be shared, with role-specific guidance for HR, legal, engineering and finance. Organizations handling this best treat generative AI governance similarly to cloud adoption, enabling innovation while building visibility, guardrails and accountability.
Merge hiring and insider risk into one program
Stop treating recruitment as a hiring function separate from security. Identity verification must happen before onboarding and continue after hire. Implement geolocation and device consistency checks during the interview process. Require payroll banking verification for all remote technical hires.
For shadow AI: Define approved tools by department and data sensitivity level. Prohibit source code, customer data and proprietary documentation in unapproved platforms. Use continuous monitoring to flag unusual data uploads, not just after-the-fact discovery.
Train employees on verification discipline. Teach them to independently confirm high-pressure requests through secondary channels before acting. Conduct live simulations using attack scenarios your organization actually encounters, not generic phishing links.