The rotating contractor. You vetted one person. A different one does the work.
You interviewed a senior engineer at a staffing vendor, ran the background check, and granted access. But the credential gets passed around an offshore bench — a junior, a night-shift fill-in, sometimes whoever's free. The person you vetted and the person inside your systems are no longer the same human. Verizon's 2025 DBIR found third-party involvement in breaches doubled to 30% in a year. Manav binds the access to the specific human you approved.
You contract with a vendor. You trust a person. The two aren't bound together.
Staff-aug and BPO economics reward the vendor for sharing one approved seat across many bodies. Your vetting — interview, background check, NDA — attaches to a name, but your access attaches to a login, and nothing keeps the name and the login pointing at the same human. When Coinbase was breached in 2025, the entry point was overseas support contractors recruited to misuse legitimate access. The risk isn't always malicious; it's that you simply can't see who is actually on the other end of the seat you're paying for.
Anyone who's managed an outsourced team has wondered: am I getting the A-player I interviewed?
The vetting happens once, on a name. After that, the vendor controls who sits in the seat, and you have no independent way to confirm the human behind today's session is the human you approved. So the credential becomes a shared asset, quality swings, and your sensitive access quietly extends to people who never passed your screen — and whom you can't hold accountable.
Who's in the seat today?
You vetted and approved Priya N. (senior) for vendor-seat-44. The vendor controls who actually signs in. Try a session both ways.
What you're seeing: a shared password opens the door for anyone the vendor seats. A Manav check is bound to the vetted person's own device — a fill-in can't reproduce it.
Bind the vetted human to the seat. Re-verify the same human at sign-in and at sensitive actions.
// At approval, bind the vetted individual — not the vendor — to the seat const { manav_id } = await manav.bind({ context: "vendor/seat", vendor: contract.vendorId, vetted: backgroundCheck.subjectRef }); // On every session start and every sensitive action, require the SAME human const r = await manav.verify({ manav_id, context: "vendor/session" }); if (!r.same_human) return deny("seat_occupant_not_vetted_person"); if (r.shared_signal) flag("credential_shared_across_people");
The seat is anchored to the passkey on the vetted person's own device, with liveness. A fill-in can be handed the password, but not the approved human's enrolled finger or face. The moment a different body takes the seat, the verification fails — and you find out at sign-in, not after a breach post-mortem traces it back to a contractor nobody recognized.
What an unverified seat can cost.
Each contractor seat is privileged access in someone else's hands. Weigh your seat count against the share realistically occupied by an unvetted person and the modeled cost of a third-party breach.
Where this lives.
Seat-to-human binding
Each approved seat is bound to one vetted individual. Vendors can rotate staff — but only people who pass your screen and enroll their own device get access.
Shared-credential detection
Concurrency and device signals expose a single login being passed around a bench, before it becomes the entry point in a DBIR statistic.
Accountability trail
Every sensitive action carries a signed proof of which approved human took it — enforceable evidence for your MSA and audits.
Pay for the person you actually vetted.
→ See also: the last-mile kill switch · the phantom shift