Insight
June 5, 2026

Background Checks: Are Organisations Buying Checks, or Confidence in the Decision?

Sean Lumley
When an organisation runs a background check, it is usually trying to answer a practical question: is there enough evidence to justify giving this person access to something sensitive? The product might be a criminal record search, a reference, or a right-to-work verification. Those checks matter, and in most cases, they are required, but the reason for doing them is not simply to complete a process. It is to support a decision about access to children, vulnerable adults, data, money, systems, or authority. It matters because the evidence needed for a check is not always the same as the evidence needed for the decision. A check can be useful and still be too narrow for the access being granted.

TL;DR

  • Background checks only answer part of the hiring decision.
  • The key question is whether the organisation has enough evidence for the access being granted.
  • Required checks matter, but they do not always show current or wider risk signals.
  • If something goes wrong, the process needs to be explainable, proportionate, and defensible.
  • Digital Risk Screening helps close that evidence gap.

The check-buying mindset

Screening has, in many organisations, become a procurement exercise. You select a provider, choose a package, and run the checks. The output is a certificate or a report, and the “process” is complete.

There is nothing wrong with this as far as it goes. Criminal record checks, sanctions screening, right-to-work verification, and reference checks are all important. In many cases they are legally required. They should be done, and done consistently.

The risk comes when the check becomes the endpoint rather than an input. The question shifts from "what does this tell us about the decision we need to make?" to "have we ticked the box?"

As I see it, that shift is more common than most organisations would like to admit. Screening gets treated as a compliance task – something to complete before day one – rather than a risk management discipline designed to support a specific decision.

What the decision actually requires

Every hiring decision gives someone access to something.

A teacher gets access to children. A care worker gets access to vulnerable adults. A finance manager gets access to money and systems. A board member gets access to strategic decisions, sensitive data, and organisational authority.

The level of access varies, but the principle does not: someone is being trusted with something that matters, and the organisation needs enough evidence to justify that trust.

A criminal record check tells you whether someone has a formal conviction. That matters, and in many roles it is a statutory requirement, but it only shows what has entered the formal record. It does not tell you what someone is doing now, what they are associated with online, or whether patterns of behaviour exist that might be relevant to the role.

A reference check tells you that someone held a position and, if you are fortunate, something about how they performed. But references are often selected by the candidate, which limits how much weight they can reasonably carry.

Each check answers a specific, narrow question. The decision – whether to grant access – requires a broader evidence base than any single check can provide.

The gap between completing checks and having enough evidence

An organisation can complete every required check, file every certificate, and still be left with evidence gaps. The checks may have been done properly. They were just never designed to answer the whole decision.

Registry-based screening can only show what has entered the formal record. That matters, but it does not show everything that may be relevant now: public online behaviour, digital associations, or activity in parts of the internet that standard searches do not reach.

Manual internet searches – the kind where someone in HR runs a quick Google search – are well-intentioned but inconsistent. They depend on who runs them, what they think to look for, and how much time they have. Two candidates can end up receiving very different levels of scrutiny, not because their roles carry different risks, but because different people ran the search.

You can end up with a file that looks compliant, while the decision itself still lacks the evidence it needs.

What "enough" looks like in practice

Start with the evidence the decision needs.

A proportionate screening process starts with the decision: what access is being granted, what could go wrong, and what evidence would a reasonable person need to justify the decision?

For a role with access to children or vulnerable adults, that evidence base should probably include more than a criminal record check and a reference from a friend. It should include a current view of what is publicly visible about that person's behaviour, associations, and digital footprint – assessed by someone qualified to determine what is relevant and what is not.

For an executive appointment, the principle is similar. The higher the access and the greater the trust, the stronger the evidence base needs to be. As the JSE qualification fraud case demonstrated, assuming that seniority equals trustworthiness can carry significant risk.

This is where Digital Risk Screening is useful. It uses AI-scale discovery to surface signals across the surface, deep, and dark web, then applies human analyst validation so findings are accurate, contextualised, and relevant to the role. Decision-makers get a structured report with the evidence and context needed to assess the risk.

Statutory checks still matter. The digital layer adds current context alongside them, covering the space between formal records and what is visible now.

The accountability test

One way to test the process is to look at it after a failure.

Take a safeguarding incident, a fraud case, or a reputational crisis linked to someone the organisation hired. The investigation begins, and the question arises:

What did you know, and was it enough to justify the decision you made?

Investigators will look beyond whether the required checks were ordered. They will ask whether the organisation had sufficient evidence, whether it was proportionate to the risk, and whether the process was consistent and defensible.

If the answer is "we ran the required checks and they came back clear", that may satisfy the compliance question. It may not satisfy the accountability question – particularly if the risk was visible online, in digital communities, or in parts of the internet that the organisation never looked at.

The process should start with the access decision. Given what this person will have access to, does the organisation have enough evidence to proceed? The answer needs to withstand scrutiny.

The process has to stand up to scrutiny

Background checks are important. They should be done, and done consistently. But they are inputs to a decision, and they need to be treated that way.

The practical step is to align the depth and breadth of screening to the level of access being granted. The evidence base needs to be current as well as historical, and the process needs to be documented, audited, and defensible.

That changes what organisations look for, how they evaluate their process, and how well they can respond when someone asks the question that always follows a failure: did you do enough?

If your organisation is reviewing whether its screening process gives decision-makers enough evidence, Safehire.ai can help. Our Digital Risk Screening combines AI-scale discovery with human analyst validation, giving teams a clearer evidence base for high-trust hiring decisions.

Continue reading
Insight
May 29, 2026
Insider Risk for Personal Gain: the Quiet Breach That Matters Most in High‑Trust Environments
The Product
Our productPricingFAQs
About Safehire.ai
HomeAbout Us
Get in touch
Get In TouchLegal Stuff
Support
support@safehire.ai
Main logo link that leads to home page
© Copyright 2025