The instinct, on discovering that a third to a half of your workforce sits outside your screening program, is to order more background checks. That instinct is not wrong, but it solves the wrong problem. The issue is not the volume of checks. It is that the program is organised around a category, the employee, that no longer captures most of the people with access. Run more checks inside that boundary and you simply do more of what already misses the gap.
The fix is to change the unit you screen by, from employment status to access and risk, and to build the operational plumbing that makes one standard reachable across populations that are currently managed by different functions, in different systems, under different assumptions. Here is how to do it, in the order that actually works.
Inventory the People, Not the Payroll
You cannot screen who you cannot see, so the first move is visibility, and it is usually the hardest.
Build a single inventory of everyone who holds an active credential: employees, yes, but also contractors, agency temps, gig workers, vendor staff under statements of work, and anyone else with a login, a badge, or access to sensitive data or facilities. This will not live in one system today. It will be spread across HR, procurement, the staffing-agency portals, the vendor management system, and more than one spreadsheet. Pulling it together is tedious and almost always surfaces surprises: long-tenured contractors nobody remembers onboarding, vendor accounts still active after the project ended, whole categories of worker that no function considered “theirs” to screen.
That inventory is the foundation. Every later step depends on it, because a standard you cannot apply to people you cannot list is not a standard at all.
Tier by Access and Risk, Not by Employment Label
Once you can see everyone, stop sorting them by contract type. Sort them by what their role can touch.
A contractor with administrative access to production systems is a higher-risk role than a junior employee with none, and should be screened more rigorously, not less. A gig worker who enters customers’ homes carries different risk from one who never leaves a warehouse. Design a small number of screening tiers keyed to access and exposure: what data, what systems, what physical reach, what customer contact, what financial authority. Then map every person in your inventory to a tier, regardless of whether they are W-2 or 1099 or engaged through a vendor.
This single change resolves most of the asymmetry described in the landscape piece. The point is not to screen every contractor as heavily as your most sensitive employee. It is to ensure that two people with the same access face the same bar, whatever their paperwork says.
Set Flow-Down Requirements for Staffing Vendors, in Writing
For workers who arrive through agencies and vendors, you will rely on those partners to execute screening. That reliance has to be specified, not assumed.
Write the minimum screening standard into the contract: which checks, to what depth, in which jurisdictions, refreshed on what cadence. Require evidence that the screening was performed, not just an attestation that it was. Retain a right to audit. And define what happens when a check surfaces something, so that adjudication is not improvised case by case. The goal is to convert “the agency checks them” from a hope into a contractual obligation you can inspect. If a vendor cannot or will not meet the standard, that is itself a finding, and a reason to reconsider the relationship before an incident makes the decision for you.
Handle FCRA and Local Law for Contractors Properly
Extending screening to contractors extends the legal obligations with it, and the most common mistake is assuming the lighter relationship means lighter compliance.
In the United States, the FCRA applies to contractor checks in full: disclosure, authorisation, and the pre-adverse and adverse-action process all attach when you decline to engage someone based on a report. Build those steps into the contractor flow exactly as you would for an employee. Internationally, the consent and data-protection rules of each worker’s jurisdiction apply, which for a globally distributed contractor base means jurisdiction-aware logic rather than a single template. Getting this right is not only protective, it is the difference between a screening program that reduces risk and one that quietly manufactures a new category of it.
Verify Identity at the Point of Access
A background check verifies a person. Access control grants a credential. The two only connect if the person who receives the credential is the person who was checked, and in a distributed, contractor-heavy workforce that link is easy to break.
Confirm identity at the moment access is granted, and tie the screening record to the actual individual who will hold the credential, not to a name on a vendor’s roster. This matters most for remote contractors, where the person onboarded and the person doing the work are not always observably the same. The screening is only as good as the assurance that its subject and the credential holder are one person.
Make Offboarding a Screening Event
Screening programs obsess over the front door and neglect the back one. For the extended workforce, the back door is where much of the risk actually lives.
Contractors and vendor staff rotate constantly, and every engagement that ends without prompt de-provisioning leaves a live credential attached to someone no longer accountable to you. Treat offboarding as a controlled event with the same discipline as onboarding: access revoked on a defined timeline, credentials closed, and the inventory updated so the next audit reflects reality. An unrevoked contractor account is precisely the standing entry point that the breach data keeps pointing to.
Add Continuous Monitoring for Long-Tenured Contractors
The hidden assumption in a one-time pre-engagement check is that the engagement is short. For a great many contractors, it is not. Multi-year placements are common, and a check run at onboarding is a snapshot that ages every month afterward.
For long-tenured contractors in higher-access tiers, a point-in-time check is not enough. Continuous or periodic monitoring keeps the picture current across the life of the engagement, in the same way it would for an employee in an equivalent role. The principle is consistency again: if the access persists, so should the verification behind it.
Screen the Vendor, Not Just the Worker
Finally, widen the lens by one level. The staffing firm or vendor is itself a party you are trusting with access to your people, your data, and your operations, and it deserves due diligence of its own.
Business-information and vendor due-diligence checks on the firm, its ownership, its stability, and its track record sit alongside the screening of its individual workers. A rigorous check on a contractor placed by a vendor you know nothing about is a strong lock on a door whose frame you never inspected.
One Workforce, One Standard
Pull these moves together and the through-line is simple. The extended-workforce gap is not closed by treating contractors more like a security afterthought. It is closed by treating the workforce as a single population, seen in one place, sorted by the risk each role carries, and held to a standard that follows the access rather than the contract.
None of this requires waiting for the law to settle or for the share of contingent work to plateau, and it will not. It requires a decision: that the question “is this person fit for the access we are giving them” gets asked of everyone who receives the access, and answered to the same standard for all of them.
The organisations that make that decision will not have a smaller extended workforce. They will simply stop having an extended-workforce blind spot, because there will no longer be a category of people their screening cannot see.
