When Identity Verification Goes Wrong, Employers Pay the Price

Every employer knows they have to complete a Form I-9. Fewer understand that how they verify identity, and how accurately, carries its own legal weight. And almost none have heard of NIST.

That's a problem. Because in 2026, not all identity verification is created equal. And the difference between a biometric system that has been independently validated and one that hasn't could be the difference between a defensible hiring decision and a costly lawsuit.

What Is NIST — and Why Should Employers Care?

NIST — the National Institute of Standards and Technology — is a U.S. federal agency that sets the performance benchmarks for technologies used in everything from cybersecurity to advanced manufacturing. In the world of biometrics, NIST runs what is widely considered the gold standard evaluation for facial recognition technology: the Face Recognition Technology Evaluation, or FRTE.

The FRTE tests facial recognition algorithms from vendors around the world against enormous, diverse datasets — measuring accuracy, speed, bias, and robustness under real-world conditions. With algorithms tested against hundreds of global submissions and measured across dozens of diverse datasets, NIST FRTE is the most rigorous and respected global benchmark for face recognition in the world.

For employers, this matters for one simple reason: if you are using biometric technology to verify a new hire's identity, you need to make sure you are not making a legal decision based solely on that technology's output. It must only be considered a tool to help make an identity decision, but If that output is wrong — because the algorithm is inaccurate, biased, or untested — you bear the consequences if you have been led astray by a poor alogorithmic output

The Two Liability Risks Employers Don't See Coming

1. Liability for Illegal Hiring

The first risk is the obvious one: hiring someone who is not legally authorized to work in the United States. ICE initiated more than 6,400 audits in fiscal year 2019 — and in 2025, audit rates ran at least ten times higher than in 2024, with more than 1,800 Notices of Inspection issued in just the first half of the year alone.

Under the Immigration Reform and Control Act of 1986 (IRCA), 8 U.S.C. § 1324a, employers are prohibited from knowingly hiring unauthorized workers and are required to verify both identity and work authorization for every new hire via Form I-9.

Form I-9 requires employers to verify both identity and work authorization. But verifying a document without verifying the person holding it is incomplete verification. An employee can present a legitimate ID belonging to someone else entirely. Without biometric 1:1 matching — comparing the live face of the person in front of you to the photo on the ID — you have no way of knowing whether the ID actually belongs to your new hire.

The risks of I-9 errors and potential liability are increasingly tangible, with the return of visible worksite enforcement, the dismantling of several immigration programs, and compounding I-9 compliance challenges facing employers across the country.

If an ICE audit reveals that you hired someone using another person's identity documents, the government will not accept "we looked at the ID" as a defense. The question becomes: what did you do to verify the person matched the document? A NIST-validated biometric system provides a documented, defensible answer.

The legal authority is the Immigration Reform and Control Act of 1986 (IRCA), codified at:

Legal note: 8 U.S.C. § 1324a — Unlawful employment of aliens

Specifically:

• 8 U.S.C. § 1324a(a)(1) — prohibits knowingly hiring unauthorized workers
• 8 U.S.C. § 1324a(b) — requires employment verification via Form I-9
• 8 CFR § 274a.2 — the implementing regulation governing I-9 procedures and electronic I-9 system requirements

For fines specifically:

• 8 CFR § 274a.10(b)(2) — civil monetary penalties for I-9 violations (the $288–$2,861 per form figure)

2. Liability for Wrongful Discrimination

The second risk is less obvious but equally serious — and it runs in the opposite direction.

Under 8 U.S.C. § 1324b, IRCA's anti-discrimination provisions prohibit employers from discriminating based on citizenship status or national origin during the I-9 process, and from engaging in document abuse — requesting more or different documents than the I-9 requires.

Employers can face discrimination claims if their identity verification process treats people differently based on perceived race, national origin, or citizenship status. Asking non-U.S. citizens to present DHS-issued documents while allowing U.S. citizens to present a driver's license and Social Security card — or treating employees differently during the I-9 process based on their appearance, accent, or perceived nationality — can lead to discrimination claims under the Immigration Reform and Control Act.

This is where biometric accuracy becomes a civil rights issue. If an employer uses a facial recognition system that performs less accurately on certain demographic groups — darker skin tones, older faces, women — that system can produce disproportionately higher mismatch rates for those groups. The employer then takes adverse action based on a bad biometric result without even knowing it. The result: a discrimination claim rooted in a technology failure the employer trusted.

Recent federal litigation has established that HR technology vendors themselves can be held liable for discriminatory outcomes, not just the employers who use their tools. California's workplace AI regulations, effective October 2025, make clear that any automated decision system used in employment must have meaningful human oversight, and that employers must proactively test for bias and maintain records for at least four years.

The legal standard is moving fast. Choosing a biometric system that has not been independently evaluated for accuracy and fairness across demographic groups is no longer a defensible position.

‍

Why NIST Validation Is the Answer to Both Risks

A NIST-validated algorithm provides something no vendor self-certification can: independent, government-tested proof of accuracy across diverse populations.

NIST's ongoing evaluations show that top-performing algorithms now achieve false non-match rates below 0.15% under controlled conditions — but the spread between top-ranked and mid-tier algorithms is significant, particularly in real-world deployment conditions involving variation in lighting, aging, pose, and demographic diversity.

For I-9 verification specifically, the relevant benchmark is 1:1 verification — matching a live selfie to a single stored image, in this case the photo on a government-issued ID. This is a different and more precise task than 1:N identification, which involves searching large databases. An algorithm that performs well in 1:N identification may not be the best choice for the high-stakes, one-person-at-a-time verification an I-9 requires.

ZipID's Choice: A Top 3 Globally Ranked Algorithm

ZipID's facial recognition is powered by Innovatrics — and that choice was deliberate.

In NIST's FRTE 1:1 verification evaluation, Innovatrics ranks 3rd globally in the mugshot-to-mugshot benchmark as of its most recent submission in March 2025 — out of hundreds of algorithms submitted by vendors from around the world. The mugshot-to-mugshot scenario, in which a controlled photo is compared to another controlled photo at extremely low false match rates, is the closest available NIST test scenario to what I-9 verification actually requires: comparing a new hire's live selfie to the photo on their government-issued ID.

These two scenarios are analogous but not identical — a live selfie introduces variables like lighting, angle, and liveness detection that a controlled mugshot does not. But Innovatrics' performance in the most demanding controlled accuracy benchmark available provides the strongest independent signal of real-world reliability that currently exists in the industry.

This is not a vendor claim. It is a live, continuously updated U.S. government evaluation that any employer can verify themselves at pages.nist.gov/frvt/html/frvt11.html. Rankings are updated as new algorithm submissions are evaluated, so we encourage you to check the current leaderboard directly.

But here's what the leaderboard doesn't tell you — and what every U.S. employer should know before choosing a biometric vendor.

In the mugshot-to-mugshot benchmark for images more than 12 years apart — the most demanding test of long-term accuracy — the rankings are: #1 CloudWalk (China), #2 STCon (South Korea), and #3 Innovatrics (Slovakia).

CloudWalk ranks on NIST's leaderboard because NIST evaluates algorithmic accuracy — not vendor ethics, national security risk, or suitability for U.S. employer use. That is entirely appropriate for a scientific evaluation. But it means that accuracy ranking alone is an incomplete basis for choosing a biometric system for I-9 verification.

CloudWalk Technology is a Chinese company that has been placed on the U.S. Department of Commerce Sanctioned Entity List and the Department of Defense's list of "Chinese military companies" for its alleged role in the mass surveillance of the Uyghur population. It ranks on NIST's leaderboard. It should not be on any U.S. employer's vendor shortlist.

For U.S. employers verifying the identities of new hires — many of whom may work in sensitive industries, hold security clearances, or have access to proprietary information — vendor origin, government standing, and national security risk are not secondary considerations. They are part of the compliance decision.

Innovatrics is a Slovak company with a long track record of deployment in Western government and enterprise environments, no sanctions, no Entity List designation, and no national security flags. It is the highest-ranked Western, non-sanctioned algorithm in NIST's 1:1 verification evaluation for this benchmark. That is why ZipID chose it — and why we believe U.S. employers should care not just about accuracy, but about who is behind the algorithm.

Ultimately, for employers, this ranking translates directly to confidence in every hire: the algorithm comparing your new hire's selfie to their government-issued ID is among the most accurate facial recognition systems ever independently tested by the U.S. government — with a false non-match rate of just 0.2% in the mugshot benchmark, meaning fewer than 2 errors per 1,000 verifications under the most stringent testing conditions.

Note: ZipID's published accuracy figure reflects the specific implementation and testing conditions of our platform. We encourage prospective customers to ask any biometric identity verification vendor for their specific NIST submission results and the test conditions under which their accuracy figures were measured.

What This Means for Your Hiring Practice

When ICE comes to audit your I-9s, or when a rejected applicant files a discrimination complaint, the question will not just be whether you completed the form correctly. It will be whether your identity verification process was accurate, consistent, fair, and documented.

A NIST-validated biometric system answers all four of those questions. An unvalidated one answers none of them.

Here is what employers should ask of any biometric identity verification tool they use:

• Has the underlying algorithm been independently evaluated by NIST?
• What is its ranking in the FRTE 1:1 verification benchmark specifically?
• Has it been tested for demographic consistency across race, age, and gender?
• Does it include liveness detection to prevent spoofing and deepfakes?
• Does it produce a documented confidence score and audit trail for every verification?

If you cannot get a clear answer to all five questions, you are taking on liability you do not need to take on.

The Bottom Line

NIST rankings are not a technical nicety. They are a legal protection. In a hiring environment where ICE audits are at record levels, discrimination claims involving AI tools are rising, and Gartner projects that by 2028 one in four job applicants will be fake, the accuracy of your identity verification technology is a compliance decision — not just a technology one.

ZipID was built on this principle. Our founder helped write the federal identity doctrine underlying today's I-9 compliance framework. We didn't choose a top-3 NIST-ranked algorithm because it was available. We chose it because anything less is not good enough for employers who need to be able to defend every hiring decision they make.

Verify Fast. Comply Smarter. Know your new hire is who they say they are.

‍

Janice Kephart is the Founder and CEO of ZipID and one of the most recognized public voices on national security, identity, and border policy in the United States. Former counsel to the 9/11 Commission, she authored the federal identity doctrine underlying today's I-9 compliance framework, including the biometric entry-exit mandate, REAL ID Act, and passport requirements for all travelers. She has testified before Congress 19 times on identity-related issues.

Ready to verify your new hires with confidence?

ZipID completes the entire Form I-9 process in under 8 minutes, fully compliant with 8 CFR § 274a.2.

Schedule a Demo: https://calendly.com/janicek-zipidapp/

Get started now. View pricing.

‍

‍

‍