You verified them three years ago. What's changed since?

A background check at the point of hire tells you what was true on that date. The qualifications were confirmed. The employment history checked out. The criminal record came back clean. The references were positive. Everything lined up, so the person was hired, onboarded, and given access to systems, data, and people.

That was three years ago. Since then, the role has expanded. Access permissions have grown. The person may have moved teams, taken on financial authority, or started managing others. Their circumstances outside work may have changed too, in ways that affect risk but never trigger a review.

Most organisations treat verification as a hiring event. The check is done, the file is closed, and trust is assumed to hold from that point forward. The problem is that risk doesn't follow that timeline.

What changes after onboarding

Credentials decay. A professional licence that was valid at hire can lapse. A qualification from an institution that later loses accreditation doesn't retroactively flag in your records. A clean financial history at onboarding says nothing about debts, judgments, or insolvency that develop afterwards, even when the person holds a role with fiduciary responsibility.

Roles evolve faster than controls. Someone hired as a junior developer who's now managing production infrastructure has a fundamentally different risk profile than the one you screened. Access creep is one of the most common and least monitored risks in any organisation: permissions accumulate as people move through roles, and revocation almost never keeps pace.

Conduct changes. Misconduct, conflicts of interest, undisclosed secondary employment, or behavioural patterns that affect workplace safety can all emerge well after onboarding. If there's no mechanism to surface these signals, the organisation is relying on the assumption that whatever was true at hire remains true indefinitely.

The ILO's November 2025 working paper on AI in human resource management described a version of this structural problem: systems built on fixed assumptions break when the environment becomes fluid. The paper focused on AI models, but the principle applies equally to verification. A static check captures a snapshot. It doesn't account for the fact that the subject of that snapshot keeps moving.

What this looks like when it goes wrong

Google's Threat Intelligence Group documented one of the clearest illustrations of post-hire risk escalation in 2025. North Korean operatives who had been hired under fabricated identities didn't just collect salaries. Over time, they moved laterally through employer systems, accessed proprietary code and customer data, and in several cases, extorted their former employers after being terminated, threatening to publish stolen source code or sell it to competitors.

The initial hire passed screening. The risk that followed had nothing to do with the quality of the original check. It emerged because no one reassessed what those employees had access to, whether their conduct warranted continued trust, or what data they had accumulated during their tenure.

This is an extreme case, but the underlying pattern is ordinary. An employee's risk profile at month one and month thirty-six are rarely the same. The question is whether your organisation has any way of knowing when they diverge.

Why periodic rescreening isn't standard practice

The honest answer is that most verification infrastructure was designed for a single moment: pre-hire. The systems, contracts, and workflows are built around onboarding. Running the same checks again at intervals requires different triggers, different consent frameworks, and often different commercial arrangements with screening providers.

There's also a cultural hesitation. Rescreening can feel like a statement of distrust toward existing employees. Organisations worry about morale, about perception, about the message it sends.

But the alternative is carrying risk you can't see. And in regulated industries, that risk has a specific cost. Financial services firms operating under MAS guidelines in Singapore are already expected to monitor representatives with adverse information on an ongoing basis. The EU AI Act's high-risk classification covers AI used to monitor and evaluate employee performance and behaviour, not only recruitment. Australia's Privacy Act reforms will require disclosure when automated decision-making significantly affects an individual's rights, which extends well beyond the point of hire.

The regulatory environment is catching up to a reality that risk professionals have understood for years: a one-time check provides one-time assurance. It says nothing about what happens next.

What continuous trust actually requires

Rescreening is part of the answer, but it's not the whole answer. Continuous trust means building mechanisms that surface changes as they occur, rather than waiting for a scheduled review or an incident.

That includes monitoring for adverse information (criminal records, sanctions, regulatory actions) against your current workforce on an ongoing basis. It includes reviewing access permissions when roles change, rather than only when someone joins. It includes whistleblowing and reporting channels that connect post-hire signals back to the screening record, so that patterns can be identified across the employee lifecycle rather than treated as isolated events.

The campaign brief for this series described trust as a system, not a moment. This is where that idea becomes operational. If your organisation verified someone once and has no process for revisiting that assessment, you're carrying risk that compounds with every month of unreviewed access, unchanged permissions, and unmonitored change.

The check you ran three years ago answered a question about three years ago. The question you need to answer is what's true now.

The bigger picture

This article is part of a four-part series on how AI is reshaping trust in hiring and workforce management. For the full picture, including how authenticity, fairness, continuity, and accountability connect as a single trust problem, read the pillar piece.

{{your-hiring-process-was-built-for-a-world-that-no-longer-exists="/components"}}

‍