Organisations across Australia’s critical infrastructure sectors are increasingly reliant on global talent. Engineers, cyber specialists, data analysts, and technical experts are frequently sourced from overseas to address persistent skills shortages, or are rotated into the Australian subsidiary of a foreign-owned critical infrastructure asset. At the same time, the security environment facing critical infrastructure operators and their assets has become more complex, more contested, and more persistent.
This convergence creates a practical challenge for executives: How do we build defensible assurance about individuals whose personal, professional, and behavioural history sits largely outside Australian systems?
Australia’s traditional pre-employment screening models, particularly those centred on domestic background checks, were not designed for this context. They offer limited visibility where a person’s historical footprint in Australia is small or recent. Yet the answer is not to default to exclusion of the person, nor to assume the risk the person may represent. The answer is to adopt a trusted workforce assurance model that is risk-led, role-based, and capable of operating under uncertainty.
This article explores how Australian organisations can approach non-citizen applicant screening within a Trusted Workforce Program, or its complementary Insider Threat Program, why certain checks (including AusCheck background check) may have limited value in this context, and how to build proportionate, defensible workforce assurance using layered and practical methods.
Trusted workforce assurance: The starting point
Trusted workforce assurance is not about predicting intent or judging character. It is about managing security risk and uncertainty.
At its core, trusted workforce assurance asks four interrelated questions:
- What security risks does the organisation face at an enterprise level?
- Which roles are exposed to those risks?
- What level of assurance is required for those roles to mitigate likely risk?
- What information and controls are needed to achieve that assurance?
Pre-employment screening is one of the controls within this system. It does not create trust on its own. It produces information that allows an organisation to make informed, risk-based decisions about access, oversight, and ongoing suitability.
This distinction matters, particularly when dealing with non-citizen offshore applicants.
In non-citizen offshore cases, the objective is rarely to achieve absolute knowledge. The objective is to achieve sufficient, defensible assurance to support a risk-informed decision, supported by layered controls and ongoing suitability monitoring.
Why enterprise and role risk must come first
Screening should never begin with the person. It must begin with the enterprise, role and the consequences associated with that role.
Consider a critical infrastructure entity facing contemporary security risks such as:
- Foreign interference
- Cyber intrusion into operational technology environments
- Supply chain manipulation
- Insider-enabled disruption.
These risks do not apply evenly across the workforce. For example, a SCADA engineer, OT administrator, network architect, procurement manager approving high-risk vendors, or incident response lead will have very different exposure to critical assets and operations compared to a person in a general administrative role.
Once enterprise security risks are understood, organisations can assess:
- What systems, data, and assets the role can access
- What decisions the role can influence
- What harm could occur (also known as the consequence) if the role were compromised.
Only then can screening and assurance be designed in a meaningful way.
This role-first logic is particularly important for non-citizen offshore applicants, because it prevents overreaction to uncertainty and instead anchors decisions in consequence.
The limits of AusCheck background check for non-citizen offshore applicants
In Australia’s critical infrastructure sectors, AusCheck background checks are available under certain regulated Commonwealth government frameworks. An AusCheck background check is a coordination of identity verification, criminal history check, criminal intelligence check, and national security assessment for specific purposes.
Within that defined scope, AusCheck background check does exactly what it is designed to do: it helps reduce the likelihood that individuals with known criminal or terrorism-related concerns are placed into sensitive environments.
However, for candidates with limited footprint in Australia, such as non-citizens located offshore, AusCheck background check will often return little meaningful information.
This is not a flaw. It reflects a structural reality:
- Australian criminal history checks draw primarily on Australian records
- National security assessments rely on information held within Australian systems and foreign partner holdings
- Recent arrivals may have minimal data captured domestically.
A “clear” result in this context does not equate to low risk. It simply means there is insufficient Australian-held information to identify matters relevant to security, matters which could be of concern.
For non-citizen offshore applicants, AusCheck background check, therefore, provides limited assurance value as a standalone control. AusCheck may satisfy a regulatory or compliance requirement, but it does not answer the broader assurance question: is this individual suitable for this role, in this environment, at this time? AusCheck, in this scenario, often achieves minimal security effect.
This distinction is critical for executive decision makers. Compliance with a check does not equal assurance. Assurance must be constructed.
Because no single check provides sufficient assurance, organisations must rely on layered corroboration.
Offshore screening requires a corroboration mindset
Where traditional background checks are constrained, internal workforce assurance could be built through corroboration and coherence testing.
This means treating the candidate’s history as a dataset and asking whether it is internally consistent and externally verifiable.
Practical techniques could include:
1. Identity and document verification
- Multi-factor identity verification
- Cross-checking passports, visas, and supporting documents
- Confirming right to work status and visa pathway.
Visa type can provide useful context about what identity checks have already occurred through the Department of Home Affairs, without being treated as a proxy for trust.
Organisations should document what level of identity assurance has been achieved, and what residual risk remains.
2. Direct verification of education and qualifications
- Contacting universities and training providers directly
- Using registrar verification services
- Confirming completion dates, fields of study, and award type.
This is particularly important for technical and engineering roles where qualifications underpin access to sensitive environments.
3. Employment history corroboration
- Contacting HR departments of previous employers
- Verifying dates, job titles, and responsibilities
- Confirming reasons for departure where appropriate.
Where organisations no longer exist or cannot be contacted, this limitation should be recorded and considered in the overall risk assessment.
A useful technique is to construct a chronological timeline of the candidate’s last ten to fifteen years and test whether every period can be plausibly explained and corroborated.
4. Unnominated referees
Where lawful and proportionate, seeking confirmation from referees not nominated by the candidate can provide valuable insight into:
- Reliability
- Security attitudes
- Compliance with rules
- Character traits
- Behaviour under pressure.
5. Open-Source Intelligence (OSINT) check
An ethical, proportionate OSINT check can provide valuable corroborative information where traditional background checks offer limited visibility, particularly for non-citizen offshore applicants.
Practical OSINT activities may include:
- Reviewing professional networking platforms (such as LinkedIn) to confirm employment history, role titles, timelines, and stated responsibilities.
- Searching for technical publications, conference presentations, patents, or research contributions that align with claimed expertise.
- Reviewing publicly available company records or corporate registries for evidence of directorships, ownership interests, or business affiliations.
- Identifying public statements, interviews, or online contributions that demonstrate professional standing, technical focus, areas of interest, or personal views that may be relevant to the role being offered.
- Checking for inconsistencies between resumes, application forms, referee reports and publicly available information (for example, mismatched employment dates or unexplained role changes).
OSINT can also assist in identifying:
- Unexplained gaps in professional history
- Undisclosed business interests
- Patterns of frequent job movement without clear explanation.
Importantly, OSINT findings should never be treated as determinative in isolation. They should be used as a corroboration tool to inform follow-up questions, requests for clarification, or additional verification.
National security context without personal judgement
Candidates from countries such as China, Russia, Iran, North Korea or other jurisdictions of strategic concern to Australia present a particular challenge for organisations.
The correct lens is not nationality. The correct lens is threat exposure and role consequence.
Executives should consider:
- Does the role involve access to sensitive operational technology, network architecture, security controls, or incident response processes?
- Could the role create opportunities for coercion, pressure, or exploitation to be enacted on the person?
- Would compromise of this role have systemic consequences?
These questions are applied to the role, not the individual.
The presence of higher-interest threat vectors may justify:
- Enhanced internal screening
- Staged or limited access during onboarding
- Segregation of duties
- Increased monitoring
- Clear behavioural expectations and training
- More frequent suitability reviews.
For example, an electricity transmission operator recruits a non-citizen offshore SCADA engineer. Employment and qualification history is largely verified, but a twelve-month employment gap is identified.
During structured interview, the candidate explains the period was taken to care for an unwell parent. Two independent referees confirm this account.
Residual risk remains low but not zero.
Mitigations applied include staged access to control systems, close supervision during the first six months, and mandatory security awareness training.
The individual is assessed as suitable with conditions.
Conversely, applicants from countries within Australia’s closest intelligence-sharing partnerships, such as the Five Eyes alliance (Australia, United States, United Kingdom, Canada, New Zealand), may present different verification and intelligence visibility considerations. This does not remove risk, but it may influence the degree of external corroboration available.
Decision-making under imperfect information
For non-citizen offshore applicants, it is common that some elements of a person’s history cannot be fully verified.
This does not automatically mean the individual is unsuitable. It means that residual risk exists.
Executives must, therefore, decide whether:
- The role consequence is tolerable given that residual risk
- Additional controls can reduce exposure to an acceptable level, or
- The role should not be offered.
In some cases, particularly for highly specialised roles with scarce skills, there may be no practical alternative candidate. In these situations, the question becomes not “is this person perfect?” but “can we manage the risk safely?”
In these circumstances, organisations should treat any decision to proceed as a formal waiver or exemption against standard assurance expectations, rather than an informal exception.
A waiver is a conscious governance decision that acknowledges residual risk, documents why the risk is being accepted, and specifies the conditions under which that acceptance applies. This typically includes defined time limits, additional controls, enhanced oversight, the person’s workplace behaviour, and clear accountability for monitoring.
Framing these decisions as governed waivers ensures transparency, consistency, and defensibility, while reinforcing that security risk acceptance is deliberate, authorised, and reviewable, not ad hoc.
Waivers should be approved by a designated executive authority and subject to periodic review.
Conclusion
Trusted workforce assurance for non-citizen offshore applicants is not about eliminating uncertainty.
It is about recognising it, understanding consequence, and governing security risk through layered, proportionate, and defensible controls.
When screening is designed around enterprise risk, role consequence, and ongoing suitability, organisations can safely access global talent while protecting the assets and systems that Australians rely on every day.
