February 3, 2026

Why Impersonation Is an Enterprise Risk, Not Just an HR Problem

by
Nametag
North Korea Blog Post Header
press@nametag.co

Get in touch with our PR team.

Download media kit

Logos and graphics to help you cover Nametag.

Workforce Impersonation Report

How AI-enabled impersonation is redefining identity security and shaping the future of enterprise trust.

Download the report

The workforce impersonation problem no one owns

TL;DR

  • Impersonation is not just a hiring issue or a security incident. It’s a workforce problem that develops over time.
  • Identity risk begins early and spreads as trust is passed across HR, IT, and security without being fully reexamined.
  • Attackers exploit normal employee workflows like onboarding, account recovery, and access requests rather than breaking systems.
  • Because no single team owns identity assurance across the workforce lifecycle, impersonation often goes undetected.
  • Organizations that treat identity as an ongoing responsibility are better positioned to reduce risk and move faster with confidence.

Impersonation in the workforce is often framed as either a hiring issue or a discrete security incident. In practice, it’s an enterprise-wide problem that unfolds gradually, as trust is handed from one team to the next without being fully revisited.

Hiring is usually the first place trust is established inside an organization. Someone applies for a role, interviews, and begins the process of becoming part of the workforce. In many companies, the moment an offer is accepted and an employee record is created is treated as the end of identity validation and the beginning of access.

But hiring is only the start of the identity story. The assumptions made during hiring carry forward through onboarding and beyond. Access is granted. Devices are issued. Requests are approved. The original trust decision made during hiring––a decision made by a different team, based on insufficient checks––quietly follows the employee as they move through IT onboarding and into the larger organization.

What emerges is a structural assurance gap that exists between HR, IT, and security. Identity risk is inherited across the workforce lifecycle, rather than owned by any single function.

Learn more

Impersonation Across the Workforce Lifecycle

Once someone becomes part of an organization, their identity becomes the basis for ongoing access, support, and approval decisions.

  • They request access to new tools as their role evolves.
  • They ask for help when an account is locked.
  • They replace a lost or broken device.
  • They move into roles with greater responsibility or broader permissions.
  • They approve actions that affect systems, data, or money.

Each of these interactions is routine and protected by authentication and access controls. But they rely on the assumption that the credentials being re-verified belong to the same human who was originally approved.

Taken on their own, these moments rarely feel risky. They are handled quickly, often under time pressure, and usually by different teams using different systems. Over time, they form a lifecycle where identity is trusted repeatedly without ever being reestablished.

This is where bad actors find opportunities to impersonate someone else. It emerges inside workflows designed to help real employees move quickly. When organizations rely on credential-based verification without confirming the human behind those credentials, those workflows can be misused without raising immediate suspicion.

Impersonation, in this sense, is not an edge case. It is a pattern that follows the same paths real employees use every day.

CTA: The 2026 Workforce Impersonation Report explores how these patterns show up across organizations and industries.

Identity Risk Is Inherited, Not Created

When impersonation surfaces during an investigation, it’s tempting to look for the single control that failed. More often, the risk began as a reasonable assumption made by one team that was then reused everywhere else.

HR validates enough information to make a hiring decision and create an employee record. IT consumes that record to provision accounts and issue devices. Helpdesk teams rely on that account information when approving access changes, recoveries, and requests. At each step, downstream teams inherit upstream assumptions about who the person is, without visibility into how well that identity was originally verified.

Over time, what began as a preliminary trust decision hardens into fact across the organization.  And because no one team owns identity assurance across the full workforce lifecycle, that inherited risk can persist for months before anyone realizes there was an imposter quietly stealing paychecks and copying source code.

How Attackers Exploit Assurance Gaps in Outdated Trust Models

What makes impersonation so effective is not always sophistication, so much as outdated rust models

In a recent case reported by Bloomberg, Amazon uncovered a North Korean national posing as a remote contract system developer after security teams noticed unusual behavioral signals tied to the employee’s laptop. Keystroke input lag suggested the device was being remotely controlled from outside the United States, prompting deeper investigation. The individual had passed hiring and onboarding checks, and had already been issued credentials and access consistent with their role.

What makes the case notable is not a failure of Amazon’s controls, but the opposite. As Amazon’s Chief Security Officer noted, the company found the impostor because it was actively looking for this class of threat. Without that targeted scrutiny, the activity would have appeared legitimate within normal workforce workflows.

This highlights a broader pattern organizations continue to face. Once a worker’s identity is accepted early in the lifecycle, downstream systems focus on re-verifying credentials and enforcing access policies, not re-establishing who is physically behind the keyboard. Detecting impersonation requires signals that go beyond standard authentication and access checks.

That is what turns impersonation into an enterprise risk. Not a breakdown in hiring or security operations, but the absence of a shared way to confirm human identity as it moves across teams, systems, and high-impact moments.

The Identity Ownership Gap Between Teams

The fundamental problem is that identity assurance does not clearly belong to any single team.

HR is responsible for hiring and maintaining employee records. IT enables access and supports employees as they move through the organization. Security sets policy and responds to incidents. Each group operates with valid priorities, yet identity assurance sits between them rather than within them.

At no point is there a clear owner responsible for confirming that the person behind the account is still the correct one, and that they were legitimate to begin with. As a result, uncovering an imposter comes as a big surprise. And by the time the threat is detected, that falsely-trusted identity has already been established across multiple systems, making it difficult to unwind access and leaving the same structural gaps in place for the next incident.

A More Sustainable Approach to Identity Assurance

Addressing workforce impersonation does not require reworking every process or assigning blame to any team. It requires a shared way to confirm identity at the moments where trust matters most.

Organizations making progress should treat identity assurance as a lifecycle concern, not just a one-time decision. Introduce identity verification at specific, high-risk checkpoints such as hiring and onboarding, account recovery, role changes, and sensitive approvals. Apply these checks selectively and design them to support existing workflows, rather than replace them.

The identity verification layer gives HR, IT, and security teams a common, high-assurance trust signal they can rely on without shifting ownership or adding unnecessary friction. Identity assurance becomes a shared responsibility, supported by a shared layer, instead of an assumption passed from one system to the next.

In a workforce environment where impersonation is both common and devastating, the shift to identity verification as the foundation of trust is essential. Treating identity as something that must be maintained over time allows organizations to approve access changes, recover accounts, and onboard employees faster without introducing hidden identity risk

To see how impersonation is reshaping workforce risk and how organizations are responding, explore the 2026 Workforce Impersonation Report..

Secure your helpdesk against social engineering and impersonators.
Learn more about Nametag
Right Arrow Blue
We use cookies to provide, improve, and promote our services. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Visit our Privacy Policy to learn more.
Decline
Accept All Cookies