Pre-Hire Due Diligence Agent

The hire is signed, the candidate starts - and six months later it turns out that the stated university degree never existed. The reference letter from the previous employer was manipulated. The claimed financial services suitability cannot be substantiated.

This is not an edge case. Cross-industry surveys show around one-third of all applications contain false information. A Resume Builder survey from January 2025 puts it more precisely: 44 percent of respondents admitted to lying during the hiring process - 24 percent directly in the CV. Since generative AI produces letters of reference, endorsements, and certificates in minutes, the rate keeps rising. The verification gap between what candidates claim and what employers check is widening, not narrowing.

The real cost of skipping verification

This agent follows the Decision Layer principle: each decision is either rule-based, AI-assisted, or explicitly assigned to a human.

What happens when a company of 2,000 employees fills 150 positions per year and leaves one in five statements unverified?

The legal side is clear. Forged certificates are document fraud, punishable with imprisonment of up to five years across most European jurisdictions. Employers can terminate without notice even years after the hire. But the termination is the smaller problem. Until discovery, the company has paid salary, invested in onboarding, assigned projects, and built customer relationships - and then faces an organisational rupture that reaches well beyond the personnel file.

In regulated industries, the risk multiplies. A financial services firm that puts an employee without verified fitness and properness into a licensed role faces not only employment-law consequences but regulatory ones. A pharmaceutical company that fills a GMP-relevant role with someone whose qualifications have not been verified jeopardises its manufacturing authorisation.

Why verification still fails

The paradox: most companies have verification processes. They just do not work reliably.

The typical due-diligence sequence looks like this: the recruiter receives the go-ahead from the business. Then a chain of individual steps begins - reference request by email, certificate to the business unit for review, request to the candidate for a police clearance, sanctions list check by compliance. Each step waits for the previous one. Each step sits with a different person. No step has a defined deadline.

TYPICAL SEQUENCE (sequential, 14-22 days)

Offer  -->  Reference 1  -->  Reference 2  -->  Credential check
                                                    |
                                              Compliance check
                                                    |
                                              Police clearance
                                                    |
                                              Clearance

The consequence: pre-hire checks take two to three weeks. During that time, candidates drop out - especially the good ones, who have alternatives. Recruiters cut corners, skip steps, document incompletely. And in regulated areas, the proof that verification actually happened is often missing at the end.

What needs to change architecturally

The solution is not more staff and not more discipline. The solution is a different process architecture.

The Pre-Hire Due Diligence Agent decomposes the verification process into independent decision steps. Each step has a defined decider - rules engine, AI, or human - and a documented justification.

The first step is rule-based: which checks are required for this specific position? An accounting clerk does not need a police clearance but does need a credential check. A compliance officer at a bank needs financial services suitability, sanctions list screening, and extended reference checks. This rule set is defined once, agreed with worker representatives, and then applied automatically.

Then the checks run in parallel rather than sequentially:

ARCHITECTURE (parallel, 3-7 days)

Offer  -->  [Rules] Determine check catalogue
                |
                +--> [AI] Validate credentials against registries
                |
                +--> [Human] Reference conversation 1
                |
                +--> [Human] Reference conversation 2
                |
                +--> [Rules] Sanctions list screening
                |
                +--> [Candidate] Submit police clearance
                |
                v
             [AI] Consolidate results + risk assessment
                |
                v
             [Human] Clearance or escalation

Credential validation happens automatically - against university registries, chamber databases, issuer directories. No recruiter visually comparing PDFs. No email to the HR department of the issuer with a two-week waiting period. The agent checks, documents the result, and escalates only on discrepancies.

Reference conversations stay with humans. An algorithm cannot hear subtle tones, cannot evaluate hesitation, cannot ask follow-up questions that go beyond the script. But the agent builds the standardised question list, schedules the conversations, documents results in a structured format, and ensures no conversation is forgotten.

GDPR as an architectural requirement, not a hurdle

Pre-employment screening in Europe operates in one of the strictest data protection frameworks in the world. National employment data rules allow processing of personal data only to the extent necessary for establishing the employment relationship. Every check needs a legal basis or explicit, voluntary consent - and voluntariness in the hiring context is legally contested, because the candidate has no real choice.

That means: every single check must document on which legal basis it is performed, what is checked, and what is not. A monolithic background check that queries everything at once is legally vulnerable. A process that justifies and documents each check individually is not.

That is exactly what decomposition into individual decisions delivers. Credential verification has a different legal basis than sanctions list screening. Reference collection requires a different form of consent than the check of publicly available registries. When each step carries its own legitimation, data protection stops being a process blocker and becomes part of the architecture.

High-risk system - and still productive

The EU AI Act classifies systems for evaluating candidates as high-risk under Annex III, Section 4(a). The cascade of obligations is comprehensive: risk management system, technical documentation, transparency toward affected persons, human oversight.

But the Pre-Hire Due Diligence Agent does not make hiring decisions. It validates facts and documents results. Whether a negative verification result leads to rejection is decided by a human. For regulatory exclusion criteria - missing financial services suitability, entry on a sanctions list - the agent flags the result clearly, but does not reject. It provides the documented basis on which humans decide.

This distinguishes due diligence architecturally from candidate screening. Screening evaluates and weights - there, the bias question is central. Due diligence verifies - there, the completeness and documentation question is central. Both high-risk, but with different governance requirements.

What the infrastructure contributes

The validation framework built here for credentials is not a one-off product. The Certification Tracking Agent uses the same check logic for ongoing licences and certifications in the employment relationship. The Audit Compliance Agent uses the same matching mechanism for sanctions lists and registry checks.

More importantly: the consent management engine built here for GDPR-compliant candidate verification becomes the foundation for every agent processing third-party personal data. Built cleanly once, documented, and approved by worker representatives - then reused.

The decision log capturing every verification step with timestamp, legal basis, and result makes the whole due diligence process audit-proof. Not as compliance theatre, but as infrastructure that delivers reliable answers when it matters - in an employment dispute, a regulatory audit, or a works council review. (US: FCRA, ban-the-box laws, and state-specific consent requirements create a parallel compliance stack that the agent’s jurisdiction-specific permissibility matrix handles directly.)