Workforce assurance in critical infrastructure series
Executive Summary
Workforce assurance is now a key national security capability for Australia’s critical infrastructure sectors. As the operating environment becomes more complex, the risks associated with trusted insiders, including employees, contractors and third-party personnel with legitimate access, are increasing.
Many organisations continue to rely heavily on the AusCheck background check as their primary workforce assurance measure. AusCheck can play a role given its assurance is narrow. AusCheck focuses on:
- identity verification
- criminal history checking through the Australian Criminal Intelligence Commission (ACIC)
- counter-terrorism security assessment through the Australian Security Intelligence Organisation (ASIO)
- verification of a non-citizen’s right to work, where relevant (VEVO check).
These checks were not designed to assess the broader personnel security risks that exist across Australia’s critical infrastructure sectors.
Today’s environment involves threats including trusted insider activity encompassing espionage, foreign interference, issue-motivated individuals and groups, and serious and organised crime all of which can be enabled by vulnerabilities including financial stress, coercion, grievance, psychological pressure, or the misuse of privileged access. These issues typically develop over time and are rarely revealed through a single background check.
Because AusCheck sits within a legislated framework, adapting it to new risk areas requires changes to multiple Commonwealth Government Acts and regulations. This makes reform slow and complex. By the time additional checks are introduced, the threat landscape has often already shifted. Reforms to AusCheck may be necessary, but they are unlikely to provide a complete or timely solution to meet current and near-term risks.
Critical infrastructure entities therefore need to move beyond reliance on point-in-time background checking and develop internal workforce assurance approaches that are risk-based, proportionate, and ongoing, and that reflect the organisation’s unique operational context.
Most organisations already undertake elements such as police checks, identity verification, conflict-of-interest declaration, qualification and referee checks. The opportunity is to integrate these measures in a way that helps understand security risks associated with particular roles, and supports continuous assessment across the employment lifecycle.
Importantly, such approaches are not about “catching someone doing the wrong thing”.
They are about creating systems that support workers, promote wellbeing, strengthen trust-based organisational culture, and identify vulnerabilities early so they can be managed fairly, proportionately and ethically for the benefit of the enterprise and the people who rely on it.
This article explains why reliance on AusCheck alone creates a dangerous illusion of assurance.
The following articles in this series will explore how organisations can design practical, proportionate workforce screening and ongoing suitability programs that genuinely address personnel security risk.
Workforce Assurance as a national security capability
Workforce assurance has traditionally been viewed through an employment, compliance or probity lens. In many organisations it has sat alongside recruitment, human resources or integrity processes, rather than within the broader conversation about national security, risk management and resilience.
For critical infrastructure entities, this view is no longer sufficient.
Critical infrastructure assets are increasingly interconnected, interdependent, digitised and reliant on complex operating environments. In many cases, a single trusted individual has legitimate access to systems, facilities, information, suppliers and decision-making processes that, if misused or compromised, can cause consequences well beyond the organisation itself. The potential impacts include service disruption, economic harm, reputational damage, loss of public confidence, and in some scenarios, national security risk.
Personnel security risk, therefore, needs to be treated in the same way as cyber, supply chain and physical security risk, as a strategic threat that requires governance, visibility and ongoing management.
The Security of Critical Infrastructure (SOCI) Act 2018 and the subordinate Rules reinforce this shift. They recognise that people can be both an organisation’s greatest strength and a potential avenue for compromise, particularly where roles involve privileged access, operational decision-making, or influence over critical assets. Personnel security risk is not simply the risk that an individual may do something malicious. It includes the risk that a trusted insider may become vulnerable to coercion, pressure, influence or error over time.
Unlike many traditional risk domains, personnel security risk cannot be addressed through a single control, a single policy, or a single background check. People are complex, and people change. Personnel security is dynamic, contextual and deeply connected to organisational culture, leadership and wellbeing. It requires systems that can identify emerging vulnerabilities early, provide support, encourage reporting, and enable proportionate risk management without stigmatising individuals.
This is why workforce assurance should now be understood as a national security capability, not a transactional process. It is a capability that:
- supports the protection of essential assets and services
- strengthens organisational resilience
- builds trust between industry and government
- provides decision-makers and the Boards with meaningful assurance, rather than symbolic comfort
- helps safeguard people by creating supportive environments where vulnerabilities can be identified early and addressed appropriately.
What AusCheck actually does
The AusCheck background check is often spoken about as if it is a comprehensive personnel security assessment. In reality, it is a coordination service that supports eligibility checking for particular roles and frameworks, including those linked to critical infrastructure.
AusCheck arranges background checks through partner agencies and compiles the results for the responsible entity. For most critical infrastructure contexts, this involves:
- verifying identity
- arranging a criminal history check through the ACIC
- requesting a national security assessment from ASIO, focused on counter-terrorism matters
- confirming the right to work in Australia, where relevant.
In some specialised frameworks, such as aviation and maritime security identification cards, the only substantive difference is the addition of a criminal intelligence check under the relevant legislation. This reflects the legal frameworks within which those frameworks operate, rather than a broader personnel security assessment.
These checks play an important role. They reduce the likelihood that people with known criminal or national security concerns are granted access to sensitive environments. Put simply: the AusCheck background check helps identify whether a person has known criminal or terrorism-related red flags recorded in relevant systems.
AusCheck describes this as helping to protect Australia from insider security risks, including cyber threats, by checking who can access critical areas. That contribution is real, but insider and cyber threats in 2026 are far more complex.
Insider threat increasingly involves:
- legitimate users misusing legitimate access to information, people and critical assets
- individuals becoming vulnerable over time due to pressure, coercion or grievance
- external actors deliberately cultivating trusted insiders
- contractors, service providers and third parties operating deep inside organisational systems.
These risks emerge gradually, are often subtle, and are shaped by the roles people hold, the systems they access and the culture in which they work.
Against this backdrop, AusCheck plays a focused but limited role. It helps ensure that individuals with known criminal or national security concerns are identified before they are placed in sensitive roles. That contribution matters but it sits at the very front end of a much larger insider-risk continuum.
The real mitigation of insider threat occurs through:
- understanding which positions are genuinely critical
- building proportionate and risk-based workforce screening around those positions
- communicating the standard of security behaviour that is required
- maintaining ongoing awareness of changes in people’s circumstances
- supporting staff wellbeing and encouraging early reporting
- integrating personnel risk into broader enterprise security governance.
Seen in this way, AusCheck is best understood as a supporting control, one input within a broader workforce assurance capability. It reduces a small slice of risk, but it cannot address the wider range of behaviours, vulnerabilities and pressures that drive insider threat in modern critical infrastructure environments.
Equally, it is important to be clear about what AusCheck does not do.
AusCheck does not assess whether a person presents a security risk in the specific context of an organisation, a role, a system or a threat environment. It does not consider how access will be used, what privileges are granted, or how a person’s circumstances may evolve over time.
Nor does an AusCheck background check equip an organisation with meaningful insight into personnel security vulnerabilities, such as emerging financial stress, conflicts of interest, susceptibility to coercion, behavioural concerns or other factors that, when identified early, can be managed in a supportive and proportionate way.
In other words: AusCheck provides coordinated, point-in-time background checking that is primarily focused on identifying terrorism-related and criminal risks. It does not provide an understanding of the broader personal security risks that may need to be monitored and managed across the employment lifecycle.
Recognising this boundary is essential. AusCheck is an important input, but it is not, and was never designed to be, a substitute for an organisation’s own workforce assurance framework that understands roles, context and people over time.
Why AusCheck background check is structurally unable to evolve fast enough
One of the most significant issues facing critical infrastructure entities is not simply what AusCheck does today, but how slowly it is able to change (if at all) in response to emerging threats.
AusCheck operates inside a tightly defined legislative architecture. The scope of the checks it can coordinate, and the way those checks are used, is determined by Acts of Parliament, regulations and supporting legislative instruments. As a result, adding a new risk category, expanding assessment criteria, or modifying the way decisions are informed is rarely a simple policy change. It requires coordinated amendments across multiple pieces of legislation and agreement between several agencies.
In addition, the AusCheck background checking scheme operates on a cost-recovery basis. Fees collected are designed to cover the actual cost of delivering the service, ensuring that fair and accurate costs are recovered from those who use it. While appropriate from a public administration perspective, this model means that any change to the scope, content or method of checking requires detailed financial, operational and policy review, often alongside formal approval processes. In practice, altering even one component of the check can take years.
The experience of previous reform efforts illustrates this clearly. The introduction of criminal intelligence checks for aviation and maritime security identification schemes required extensive consultation, legislative change and parliamentary consideration before implementation. During this period, law enforcement agencies may have held intelligence about individuals with links to serious and organised crime, but information could not legally be used, therefore was not available to the framework. As a result, those risks were not consistently detected or mitigated through the scheme. By the time reforms of this nature are completed, the threat environment has almost always shifted again.
This is not a criticism of government process. It reflects the reality that AusCheck was designed as part of a regulated ‘gate’ security ecosystem. It was never intended to operate as a flexible workforce assurance tool capable of quickly adapting to new patterns of behaviour, coercion, foreign interference or emerging insider risk typologies.
Reform is slow, complex and resource intensive
Any meaningful expansion of AusCheck typically requires:
- identifying legislative gaps
- drafting amendments
- Cabinet and parliamentary consideration
- consultation with industry and agencies
- systems redesign and implementation.
This is appropriate for security control programs involving rights, privacy and authorisation, but it means new personnel security risk indicators cannot simply be added when a new pattern of threat emerges.
Dependence on law enforcement datasets
AusCheck draws primarily on:
- criminal history information
- national security assessment information
- immigration status data.
These are essential inputs, but they represent only a narrow slice of the risk picture. They rarely capture behavioural change, financial stress or vulnerability, conflicts of interest, coercion or foreign influence risks, and wellbeing and organisational culture factors. AusCheck generally relies on information held in Australian databases.
In practice, this also means the AusCheck background check is most effective for individuals with a significant life footprint in Australia. Where a critical worker has spent most of their life, education and employment overseas, there may be little or no Australian-held information available. In those cases, the check can return very limited insight, even where overseas risks may exist.
Absence of ongoing, contextual assessment
Because AusCheck is a point-in-time check, it does not support:
- continuous suitability monitoring
- early identification of emerging vulnerabilities
- proportionate support or intervention.
Reform is underway — but scope and timing matter
The Department of Home Affairs is progressing a reform of the AusCheck background checking framework. The intent is to deliver a fit-for-purpose background-checking framework that enhances national security outcomes, improves operational efficiency and provides a more flexible and adaptable service.
These reforms are significant and welcome. They improve how background checking works, but they do not, and are not intended to, convert AusCheck into an enterprise workforce assurance capability. However, they remain focused on improving the background-checking system itself, not on transforming AusCheck into a comprehensive, adaptive personnel security framework capable of responding dynamically to insider threat, foreign interference or organisation-specific risks.
Designed for gates, not enterprise workforce assurance
Seen in this light, AusCheck is not flawed. It performs the function for which it was designed. It emerged from a security environment shaped heavily by post-9/11 concerns about terrorism and the protection of regulated, high-risk environments. It was not created to manage complex workforce assurance across diverse, evolving critical infrastructure settings. Expecting it to provide deep assurance across the employment lifecycle is to ask it to do something it was never intended to do.
The real threat landscape for critical infrastructure
If the AusCheck background check focuses primarily on identifying terrorism-related and criminal risks, the reality facing critical infrastructure organisations is far broader, and far more human.
Australia’s national security agencies have made it clear that espionage, foreign interference and insider threats now represent persistent and systemic risks across essential services. People with legitimate access; employees, contractors, service providers and trusted partners, are increasingly viewed by hostile actors as the easiest pathway to compromise systems, disrupt operations and erode trust.
This is reflected in the Australian Government’s protective security policy settings. The Commonwealth Government’s Protective Security Policy Framework (PSPF) recognises that insider threat is not simply a question of criminality. It is about vulnerability, opportunity and intent interacting over time. Insider incidents frequently arise not from clear wrongdoing at the point of hiring, but from pressures, grievances or coercion that develop later.
In this context, a workforce assurance model must look beyond “Has this person committed a serious crime?” and instead ask:
- Where might this person be vulnerable?
- What pressures or circumstances could increase susceptibility to compromise?
- What support, governance and controls reduce risk over time?
This is not about suspicions or punitive judgement. It is about understanding the risk environment that surrounds people in critical roles, and managing that risk ethically and proportionately.
Risk factor areas to consider
International adjudicative frameworks, together with the PSPF, identify recurring categories of factors that may increase vulnerability to compromise. These are not diagnoses and they are not labels. They are indicators that prompt further consideration, support and proportionate management.
Indicators include:
- Foreign associations and influence: significant overseas ties, financial dependencies or obligations that may create leverage
- Coercion and susceptibility: situations where individuals may be pressured, threatened or manipulated
- Financial stress: debt, compulsive spending, bankruptcy or financial instability that may heighten risk
- Gambling and financial compulsions: behaviours that create escalating financial pressure or secrecy
- Conflicts of interest: outside business activities, secondary employment or relationships that compromise impartiality
- Ethics, integrity and rule-compliance: patterns of policy avoidance, dishonesty or disregard for organisational rules
- Misuse of systems and privileged access: inappropriate access, data exfiltration, or attempts to bypass controls
- Personal conduct and reliability: persistent failure to follow procedures, unexplained absences or unreported incidents
- Substance abuse risk patterns: behaviours that impair judgement, performance or reliability
- Psychological or behavioural instability indicators: concerning behavioural change that may signal distress, grievance or deterioration in wellbeing
- Vulnerability arising from family or personal pressures: caregiving burdens, significant life stressors or dependency situations
- Overseas travel, affiliations or obligations: frequent travel, complex offshore connections or unexplained foreign engagements
Two points must be stated clearly.
First, these factors are not punitive. They do not automatically equate to “risk” and they certainly do not predict misconduct. They are internationally recognised indicators used to understand whether someone may become more vulnerable to coercion, exploitation or poor decision-making — and where organisations might need to:
- offer support
- adjust controls
- increase awareness
- strengthen governance around critical roles
Second, these factors are dynamic. They appear, change and disappear over time. That is precisely why a single, point-in-time background check, even a high-quality one, cannot provide meaningful assurance by itself.
Where PSPF-style thinking is applied, workforce assurance becomes less about exclusion and more about stewardship: identify vulnerabilities early, support people appropriately, and manage risk proportionately across the employment lifecycle.
Why outsourced background checking creates an illusion of assurance
Many critical infrastructure entities understandably rely on external background checking providers. In Australia, this may include AusCheck, the Australian Government Security Vetting Agency (AGSVA), or private background screening companies.
These organisations provide valuable services, but the assurance they deliver is frequently misunderstood.
External providers conduct point-in-time assessments. They verify information, review records, identify red flags and provide recommendations or eligibility outcomes. Their mandate is to determine whether an individual meets the generic criteria for a clearance or check at a particular moment.
These organisations are not responsible for mitigating organisational risk.
They do not:
- understand the operational nuances of every critical asset
- understand the unique security risk environment of every critical asset
- analyse insider dynamics within specific teams
- observe behavioural changes over time
- track how access, authority or responsibilities evolve
- review the impact of personal circumstances on future vulnerability.
Their outputs are often binary:
- pass / fail
- eligible / ineligible
- proceed / reject.
What organisations do not receive is visibility into nuanced personnel security risk, the “why”, the context, or emerging vulnerabilities that may need to be managed carefully, proportionately and ethically.
When organisations outsource workforce assurance entirely, they often outsource visibility.
They gain clearance, but they lose insight.
Clearance may demonstrate that nothing disqualifying was identified at the time. It does not demonstrate that the risk is understood, managed or monitored, nor the suitability of the person.
And critically:
- outsourced providers cannot monitor your workforce
- they cannot observe change
- they cannot integrate personnel risk with operational, cyber, physical or supply-chain risk.
An organisation may believe that because a person “passed a check”, the risk is resolved, when in reality, risk continues to evolve throughout employment. The organisation makes the decision to engage the person – it still owns the risk.
This is not a failure of AusCheck, AGSVA or private providers. It is simply recognition that outsourced background checking was never designed to substitute for organisational workforce assurance.
What effective workforce screening actually looks like
If background checks alone cannot provide assurance, organisations need a different approach, one that is shaped by their own risk environment.
Effective workforce screening is not about checking more information. It is about aligning assurance to:
- the threats the organisation faces
- the critical roles that matter most
- the realistic vulnerabilities people experience.
In mature organisations, screening becomes part of the broader security framework, not an isolated HR transaction and not something outsourced entirely.
The core principle is simple: screen proportionately, based on risk. Higher-risk roles require deeper assurance. Lower-risk roles do not.
AusCheck can still play a valuable role, particularly where the organisation is concerned about terrorism-related or criminal risks. However, AusCheck should sit as one control option within a layered workforce-assurance approach, rather than the default or dominant mechanism.
Continuous suitability: the highest risk period
The risks that matter most rarely emerge at the hiring stage. They emerge gradually, as people gain access, responsibilities increase, life circumstances change, and pressures fluctuate.
That is why the real challenge for critical infrastructure entities is not initial screening.
It is maintaining appropriate confidence in people over time.
Continuous suitability assessment does not mean constant checking or intrusive oversight. It means:
- being aware of changes that may increase vulnerability
- educating people about security and potential threats to them
- creating systems where concerns can be raised early
- supporting people when they experience pressure, distress or coercion
- linking personnel awareness to broader CIRMP governance.
Seen this way, suitability becomes a shared responsibility, anchored in wellbeing, leadership and culture, rather than punishment.
This concept will be explored further in later articles, but the key message here is: the highest exposure period is the entire employment lifecycle, not the day someone is hired.
Conclusion
For Australia’s critical infrastructure entities, workforce assurance is no longer a compliance exercise. It is a strategic capability that underpins resilience, trust and national security. It is fundamental to asset protection and secure operations.
AusCheck continues to play a valuable role in coordinating background checks and identifying known criminal or terrorism-related risks. But it was not designed, and cannot realistically evolve, to address the complex, evolving personnel security challenges facing modern critical infrastructure environments. Treating AusCheck as the primary assurance mechanism risks creating a false sense of security, where eligibility is mistaken for safety and “passing a check” is assumed to equal low risk.
The real assurance challenge lies inside organisations themselves.
Boards, executives and risk leaders must understand the threat landscape, identify genuinely critical roles, and develop proportionate, risk-led workforce assurance approaches that operate across the full employment lifecycle. This means integrating screening, governance, wellbeing, reporting and continuous suitability into a coherent framework, with AusCheck as one supporting control rather than the decision.
This direction aligns clearly with CIRMP expectations, the PSPF, AS 4811:2022 and international good practice. It is not about doing more checking for its own sake. It is about building visibility, supporting people, and managing insider risk in a way that is ethical, proportionate and practical.
The organisations that treat workforce assurance as a core security capability, rather than a transactional step, will be better positioned to protect critical services, maintain public trust and contribute meaningfully to Australia’s national resilience.
The next articles in this series will turn to the “how”: how to design proportionate workforce pre-employment screening, and how to build ongoing suitability programs that genuinely manage personnel security risk across the employment lifecycle.
