June 23, 2026

Who Owns Workforce Identity Risk? (And Why It's Hard to Answer)

by
Nametag
North Korea Blog Post Header
press@nametag.co

Get in touch with our PR team.

Download media kit

Logos and graphics to help you cover Nametag.

Workforce Impersonation Report

How AI-enabled impersonation is redefining identity security and shaping the future of enterprise trust.

Download the report

Who owns workforce identity risk?

A CISO might point to the identity stack. The IT leader might point to the helpdesk. HR could point to the security team. Finance will see that there's not a dedicated line item. Legal might mention that they've been meaning to look at that OFAC exposure.

Every answer is reasonable. Every answer is also partial. The cost of this risk distributes across multiple executive domains simultaneously, and it has grown large enough to warrant looking at the total.

The Workforce Identity Verification Gap

Identity infrastructure (the IdP, MFA, SSO, device trust) verifies which account is acting. It does not verify which human is acting. That distinction was manageable when impersonation was hard and credentials were difficult to steal at scale.

It is no longer hard. Sophos analyzed 661 incident response cases across 70 countries and found identity-related root causes behind 67% of successful intrusions. The 2026 Cloudflare Threat Report found that 63% of all logins now involve credentials already compromised elsewhere. It is now cheaper to log in with stolen credentials than to develop a technical exploit.

The gap between account verification and human verification has a cost. That cost lands in different places depending on who is looking at it, which is why most organizations have never seen the combined figure. The most immediately visible place it lands is in workforce productivity.

What Is the Productivity Cost of Identity Lockouts?

Every identity lockout is a productivity event. The employee waiting on a reset isn't a ticket in the queue. They're a person not doing the work the organization is paying them to do.

For a 25,000-person organization, cumulative hours lost to identity friction (direct wait time, the 23-minute cognitive context-switch penalty documented by researchers at UC Irvine, escalation handling, manager callbacks) run into the tens of thousands annually. At fully loaded rates ranging from $37 per hour in retail to nearly $90 in technology, that translates to millions in capacity the organization paid for and didn't receive.

It shows up as project delays, missed deadlines, and the friction that makes organizations feel slower than they should. A nurse locked out of the EMR during a shift change. A plant supervisor locked out of the OT bridge during a line restart. A senior engineer locked out before a production deployment. None of these appear on a helpdesk report. All of them are real costs absorbed across the business.

Productivity loss is painful, but it's recoverable. The next layer of cost is not.

How Much Does Identity-Based Breach Exposure Cost Per Week?

When the verification gap is exploited in an attack, the cost shifts from lost productivity to realized breach losses.

Annual Loss Expectancy, or ALE, gives security leaders a financial figure for the risk register by multiplying breach probability against average breach cost. IBM's 2025 Cost of a Data Breach Report puts healthcare breaches at $7.42M average cost, the highest of any sector for the fourteenth consecutive year. The U.S. average is $10.22M.

Applied against sector-specific breach probabilities:

  • Healthcare ~$5.0M baseline ALE, roughly $96,000 per week
  • Technology ~$2.5M baseline ALE, roughly $48,000 per week
  • Manufacturing ~$2.4M baseline ALE, roughly $46,000 per week
  • Education ~$2.2M baseline ALE, roughly $42,400 per week
  • Hospitality & Retail ~$2.0M baseline ALE, roughly $38,750 per week

The annual number is easy to defer. The weekly number is what the organization absorbs every seven days the verification gap stays open.

But breach exposure, while severe, is at least a known category on the risk register. The final cost dimension is newer, less familiar, and for most organizations entirely unquantified.

What Is the OFAC Liability Risk from Hiring Fraud?

The U.S. Treasury, FBI, and DOJ have documented that state-sponsored operatives, primarily from North Korea, are using AI-generated profiles, deepfake interview tooling, and stolen U.S. citizen identities to place themselves on Western corporate payrolls. The March 2026 OFAC sanctions action named individuals and entities generating hundreds of millions in revenue for the regime. A 2025 federal case named 309 U.S. companies, including Fortune 500 names in technology, aerospace, automotive, and media, that had unknowingly hired sanctioned workers.

OFAC penalties are strict liability. No intent defense. No awareness defense. Every paycheck is a separate violation at up to $356,579 per instance. A single sanctioned contractor on a six-month biweekly engagement generates 13 violations, totaling $4.6 million in civil liability from one hire before criminal exposure or remediation costs.

Background checks confirm that identity documents are associated with a clean record. They do not confirm that the person presenting those documents is the person they belong to. That's not a flaw in the background check. It's the boundary of what the tool does. Remote hiring removed the in-person confirmation that used to compensate for that boundary without replacing it.

The 309 companies named in the federal case were not negligent. They were running the processes available to them. If your HR and Legal teams haven't quantified this exposure yet, most organizations haven't either. The threat scaled faster than the awareness of it.

What Is the Total Cost of Workforce Identity Risk?

Productivity loss that dissolves across every department. Breach exposure that sits on the risk register. Hiring fraud liability that often sits at zero on the balance sheet, not because it's absent, but because it hasn't been measured. Three cost dimensions, each paid from a different budget, each tracked on a different dashboard, each owned by a different executive. No combined total.

Identity risk grew up distributed because identity infrastructure grew up distributed. The IdP serves IT. The background check serves HR. The risk register serves Security. The compliance framework serves Legal. Each team optimized for their piece. Nobody was asked to own the total, so nobody calculated it.

How Do Organizations Start Addressing Distributed Identity Risk?

The first step isn't a technology decision. It's an internal alignment.

Gather the stakeholders (IT, Security, HR/Legal, and Finance) and ask each one to quantify the piece of identity risk they carry. The direct helpdesk cost. The productivity estimate. The ALE figure. The hiring fraud exposure. Most of these inputs already exist in dashboards and reports across the organization. They've just never been combined.

If you haven't had that conversation yet, you're in good company. And it's worth starting.

Secure your helpdesk against social engineering and impersonators.
Learn more about Nametag
Right Arrow Blue
We use cookies to provide, improve, and promote our services. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Visit our Privacy Policy to learn more.
Decline
Accept All Cookies