Every organisation can tell you, to the person, how many employees it has. Ask the same organisation how many people currently hold an active login, a building badge, or access to customer data, and the number gets vague. The honest answer, increasingly, is that nobody is quite sure, because a large and growing share of the people inside the business are not employees at all.
They are contractors and consultants. They are agency temps and seasonal staff. They are gig workers, platform freelancers, and the engineers who arrive under a vendor’s statement of work. By most counts they already make up somewhere between a third and a half of the working population attached to a typical enterprise, and the trajectory is steeply upward.
Here is the consequence that should concern anyone responsible for hiring trust. Background screening was built around the employment relationship. It is the price of admission to becoming an employee. But the people described above are, by definition, not becoming employees, which means the program designed to vet your workforce often vets only a shrinking slice of it. The rest get in another way, and frequently get in unchecked.
This is the extended-workforce blind spot, and it is one of the quietest and most consequential gaps in modern hiring risk.
The Org Chart and the Access List Have Diverged
Start with the scale, because it is easy to underestimate.
Industry estimates put contingent workers at roughly 38 percent of the US workforce today, with credible projections that the figure approaches half within a decade. Globally, the picture is even more striking: by some measures freelancers already account for close to 47 percent of the workforce, well over a billion people, and the gig economy alone crossed 640 billion dollars in value in 2025. Deloitte has found that 41 percent of companies expect to increase their use of contingent labour, and a separate survey put the share of organisations intending to lean harder on it over the next two years at 65 percent.
These are not edge cases or seasonal blips. They describe a structural shift in who does the work. The full-time employee on a permanent contract is no longer the default unit of labour. They are one category among several, and a slowly shrinking one.
The problem is that the screening program almost always inherited its boundaries from the org chart. It covers the people HR formally employs. And the org chart no longer describes the access list. The two used to be more or less the same set of people. They have come apart, and screening followed the version that is easier to see.
Why the Blind Spot Exists
It would be comforting to blame negligence, but the gap is mostly structural.
Traditional HR systems are designed to track employees. Contingent and independent workers, as HR Executive put it bluntly, are “scattered across procurement platforms, agencies, spreadsheets, or sometimes misclassified entirely.” A contractor is engaged through procurement, not HR. A vendor’s engineers are governed by a statement of work, not an offer letter. A staffing-agency temp is, on paper, the agency’s responsibility. Each of these populations is managed by a different function, through a different system, under a different assumption about who handles the vetting.
Surveys suggest around 60 percent of organisations lack a single unified view of their total workforce. If you cannot see the whole workforce in one place, you certainly cannot screen it to one standard. The blind spot is not a decision anyone made. It is the residue of a screening model built for one kind of worker, quietly outpaced by the growth of every other kind.
Same Access, Lower Bar
The reason this matters is that access does not care about employment status.
A contractor with administrator rights to your cloud environment can do exactly what an employee with the same rights can do. A vendor’s technician on site has the same physical reach as a staff engineer. A gig worker handling deliveries interacts with your customers under your brand. The risk attached to a role is a function of what the role can touch, not of the tax form behind it.
Yet the screening bar is frequently set the other way around. The employee gets the full pre-employment check. The contractor with identical access gets a lighter check, or whatever the staffing agency happened to run, or nothing the hiring organisation can actually see. The asymmetry is precisely backwards: the population that receives the least scrutiny often holds access indistinguishable from the population that receives the most.
The Security Data Is Now Unambiguous
For years this was an intuition. The breach data has since made it concrete.
Verizon’s 2025 Data Breach Investigations Report found that the share of breaches involving a third party had roughly doubled, to around 30 percent. SecurityScorecard’s analysis put the figure higher still, with about 35.5 percent of breaches linked to third-party access, and reported that essentially every large organisation, 98 percent, has a relationship with a third party that has been breached. Gartner has estimated that a third-party breach costs around 40 percent more to remediate than an internal one.
The named incidents tell the same story. The 2024 Change Healthcare breach, originating at a vendor, exposed records for more than 70 million people. A 2025 breach at Nokia was traced to a third-party contractor. Security teams now treat vendor and contractor access as a first-class breach risk rather than a footnote, and the controls they reach for, least privilege and prompt de-provisioning, exist precisely because a temporary account is a standing entry point that is easy to over-grant and easy to forget to close.
Screening sits upstream of all of it. The question of whether you can trust the person holding that temporary account is exactly the question a background check is supposed to answer. For a large fraction of the people holding those accounts, it was never asked.
The Legal Reality: FCRA Doesn’t Care About Your Labels
There is a common assumption that the lighter treatment of contractors is also the legally simpler path. In the United States, the opposite is closer to the truth.
The Fair Credit Reporting Act applies to background checks on independent contractors, not only employees. The FTC and the CFPB have both taken the position that the FCRA’s worker-protective provisions apply regardless of how the worker is classified. When an organisation uses a screening agency to check a prospective contractor, the full machinery applies: standalone disclosure, written authorisation, and the pre-adverse and adverse-action process before declining to engage someone based on the result. Platforms that treated contractor screening as outside the FCRA’s reach have drawn enforcement actions and class litigation, and FCRA class actions against gig platforms have become one of the more common patterns in the field.
Layer on misclassification, which surveys repeatedly name as the single largest risk in contingent workforce management, with roughly 39 percent of companies citing it. The “it’s just a contractor” instinct that leads to a lighter screening process is the same instinct that leads to misclassification exposure. Treating the extended workforce as a category that escapes obligation is, legally, one of the easier ways to acquire it.
The Vendor Is Not Your Screening Department
The most common defence, when the gap is pointed out, is that the staffing agency or vendor handles screening. Sometimes that is true. Very often it is an assumption that has never been tested.
“The agency checks them” can mean the agency runs a rigorous, jurisdiction-appropriate check. It can equally mean the agency runs a cheap database lookup, or screens to a standard set years ago for a different client, or checks the worker once and never again across a multi-year placement. Unless the requirement is written into the contract, evidenced, and auditable, the hiring organisation is trusting an outcome it cannot see and did not specify. And when something goes wrong, the fact that the failure originated with the vendor is rarely much comfort, because the access, the data, and the customer relationship were the hiring organisation’s.
A screening standard you cannot inspect is not a standard. It is a hope.
Screening the Whole Building, Not Just the Payroll
The shift required here is not primarily about doing more checks. It is about changing the unit of analysis.
For decades, the question screening answered was “is this person fit to become our employee.” The more honest question for the workforce as it now exists is “is this person fit to have the access we are about to give them,” and that question applies to everyone who gets the access, whatever their contract says. The employee, the contractor, the agency temp, and the vendor’s engineer are different to finance and different to HR. To the systems they can reach and the customers they can affect, they are the same.
The organisations that close this gap will be the ones that stop letting the employment label decide the screening standard and start letting access and risk decide it instead. That means seeing the whole workforce before screening it, holding vendors to standards in writing rather than on faith, and accepting that the person with a login and a badge deserves the same scrutiny whether or not they appear on the payroll.
The building does not check tax forms at the door. Neither, anymore, can the screening program.
