Glyphward

HR AI · Recruitment · Candidate screening

Prompt injection in HR and recruitment AI — candidate portfolio injection, resume screening bypass, and onboarding document attack surface

HR AI systems and applicant tracking platforms are increasingly applying vision-language models to candidate-submitted materials: portfolio images submitted by design and creative applicants, PDF slide decks parsed for skill signals, identity documents verified at remote onboarding, and scanned performance evidence reviewed during promotion cycles. What makes the HR AI attack surface structurally different from most multimodal injection contexts is the adversarial incentive structure: candidates, employees, and job applicants have a direct, concrete financial incentive to manipulate AI screening outcomes. A candidate who is shortlisted for a £80,000 role rather than rejected has gained real economic value; an employee whose AI-assisted performance review returns an inflated rating gains salary and promotion outcomes. This incentive structure means adversarial submission of crafted images is not merely a theoretical concern — it is a predictable behaviour once the technique is understood. The ATS and talent intelligence platforms most exposed include Workday AI, Greenhouse, Lever AI, iCIMS, SmartRecruiters, LinkedIn Talent Hub AI, Eightfold AI, and Phenom People. All process some class of candidate-submitted image or document through an AI pipeline; none currently offer a native adversarial image detection layer at the document intake step. GDPR Article 22 automated decision-making obligations apply to AI-powered candidate screening wherever that screening produces a decision or significant effect on a data subject — platforms must be able to demonstrate that automated screening outputs are based on accurate, unmanipulated input data. A VLM pipeline that processes adversarially crafted portfolio images cannot satisfy that requirement. See our analysis of GDPR Article 22 and multimodal AI automated decisions for the full compliance framing.

TL;DR

HR AI platforms and ATS systems process candidate-submitted images and documents via VLM pipelines that have no adversarial content detection. Candidates have direct financial incentive to submit crafted portfolio images, ID documents, and compensation PDFs that manipulate AI screening outcomes. Scan every candidate-submitted image with POST https://glyphward.com/v1/scan before ATS ingestion. Reject images with score >= 60 (lower threshold appropriate for HR screening given GDPR Article 22 legal significance). Free tier — 10 scans/day, no card required.

Four multimodal injection surfaces in HR and recruitment AI

1. Candidate portfolio image uploads in design and creative role applications. Graphic designers, UX designers, photographers, brand consultants, and other creative professionals applying for roles submit portfolio images as a core component of their application — JPEG screenshots of completed projects, PNG mockups, exported PDF slide decks of case studies. AI screening tools integrated into ATS platforms use VLMs to assess these portfolio images: extracting skill signals, assessing visual quality against role-specific rubrics, identifying tools and techniques demonstrated, and producing a structured skill assessment that feeds the shortlisting decision. Portfolio images are entirely candidate-controlled: the candidate selects every pixel that enters the submission. An adversarially crafted portfolio image — a genuine design work image with a typographic injection payload rendered at sub-visible contrast in the background or embedded in a region of visual complexity — can cause the AI screener to return a falsely high skill assessment score, fabricate technical endorsements that the candidate did not earn, or shortlist the candidate for roles they demonstrably do not qualify for. Because the adversarial text is invisible to a human hiring manager reviewing the same portfolio image, the AI-inflated assessment score is not surfaced as anomalous during review. Portfolio image submissions span JPEG, PNG, WebP, and multi-page PDF formats — all of which Glyphward’s pre-VLM scan gate processes before the image reaches the ATS AI pipeline.

2. Identity document processing in remote onboarding AI. Remote-first companies and globally distributed employers use AI-assisted identity verification workflows to process employee ID documents at onboarding: passport photos, driver’s licence images, national identity card scans submitted via onboarding portal uploads. VLM-based identity extraction tools parse these document images to extract name, date of birth, nationality, document number, and expiry date — structured fields that enter the HRIS (Human Resource Information System) and feed I-9 or right-to-work compliance records without per-field human verification. An adversarially crafted ID document image — a genuine passport scan with an injected instruction layer visible only to the VLM — can cause the identity extraction pipeline to return false extracted values that enter the HRIS record: a manipulated name, an altered date of birth, a changed nationality field. In I-9 workflows (US) and right-to-work verification (UK, EU), these extracted values are the compliance record. If the HRIS is populated with values extracted from an adversarially manipulated document rather than the genuine document content, the compliance record is corrupted at source. Text-only PI scanners cannot detect this attack because the payload is in the image pixel layer of the submitted document photo. A Glyphward pre-scan on every onboarding identity document image before it reaches the extraction pipeline closes this surface at the intake step.

3. Salary expectation and offer negotiation document injection. Compensation AI tools used by HR teams and hiring managers process candidate-submitted documents during offer negotiation: counter-offer letters submitted as PDF scans, redlined compensation proposal images, salary expectation statements, and competing offer letters. These documents are fed into AI compensation analysis tools that extract benchmark data, compare against internal salary bands, and generate a recommendation to the hiring manager on offer positioning. A candidate submitting an adversarially crafted counter-offer image — a genuine counter-offer document photo with an injection payload embedded in the supplementary text or footer of the document — can cause the AI compensation analysis to return fabricated salary benchmark data, inject false market comparables into the recommendation, or generate an AI-authored hiring manager briefing that overstates the competing offer value. The hiring manager receives an AI-generated recommendation based on corrupted extracted data, and makes a compensation decision that is materially more favourable to the candidate than the genuine offer data warrants. The adversarial payload is invisible in the document image presented to the hiring manager for review. This attack surface is particularly significant in competitive hiring markets where offers are negotiated under time pressure and AI analysis tools are used to accelerate decision-making.

4. Performance review and 360-degree feedback document scanning. AI-assisted performance review platforms allow employees to submit scanned supporting evidence for their self-assessments: printed client testimonial letters, scanned project outcome reports, printed email endorsements from stakeholders, output screenshots, and other physical or digitised artefacts that support performance claims. These submitted document images are processed by AI review tools that generate a structured performance summary — feeding into rating, promotion, and compensation band decisions. An employee who submits adversarially crafted performance evidence documents — genuine scanned documents with an injected instruction payload in the image — can cause the AI performance review tool to generate a falsely inflated performance summary: fabricated client endorsements, inflated project impact metrics, or an AI-generated narrative of exceptional performance that does not reflect the actual submitted evidence. The resulting AI performance summary feeds promotion and compensation decisions with corrupted input. Human managers who review the AI summary alongside the submitted document images will see genuine-looking documents; the adversarial manipulation exists only at the pixel level, invisible to visual inspection. Pre-submission scanning of performance evidence document images with Glyphward detects adversarially crafted submissions before they enter the AI review pipeline.

Integration: HR platform document intake with Glyphward pre-scan

import base64
import hashlib
import requests
from datetime import datetime, timezone

GLYPHWARD_KEY = "<your-glyphward-api-key>"

# HR screening threshold is 60, lower than the general 65 default.
# Lower threshold reflects the legal significance of GDPR Article 22
# automated decisions and EU AI Act Article 22 obligations for
# AI systems that produce significant effects on individuals.
# Any image scoring >= 60 is held for human review, not auto-processed.
GLYPHWARD_THRESHOLD_HR = 60

def scan_candidate_document(
    image_bytes: bytes,
    document_type: str,  # "portfolio" | "id_document" | "compensation" | "performance_evidence"
    candidate_id: str,
    application_id: str,
) -> dict:
    """
    Pre-ATS-ingestion Glyphward scan for candidate-submitted images.
    Returns scan audit record for GDPR Article 22 compliance trail.
    Raises ValueError on adversarial detection; RuntimeError on scan failure.

    The audit_record must be persisted alongside the ATS intake record.
    The scan_id provides a cryptographic reference that the document was
    adversarial-content-checked before any automated screening decision ran.
    """
    encoded = base64.b64encode(image_bytes).decode()
    image_hash = hashlib.sha256(image_bytes).hexdigest()

    scan_resp = requests.post(
        "https://glyphward.com/v1/scan",
        headers={"Authorization": f"Bearer {GLYPHWARD_KEY}"},
        json={"image": encoded},
        timeout=5,
    )

    audit_record = {
        "application_id": application_id,
        "candidate_id": candidate_id,
        "document_type": document_type,
        "image_sha256": image_hash,
        "scanned_at": datetime.now(timezone.utc).isoformat(),
        "scan_status": None,
        "scan_id": None,
        "scan_score": None,
        # EU AI Act Article 22 audit log field
        "gdpr_a22_screening_gate": "glyphward_multimodal_pi_scan",
    }

    if scan_resp.status_code != 200:
        # Fail-closed: scan unavailability holds the document for human review.
        # Never auto-process a candidate document when the scan gate is unavailable.
        audit_record["scan_status"] = "error_held_for_human_review"
        persist_ats_audit_record(audit_record)
        raise RuntimeError(
            f"Glyphward scan unavailable for {document_type} "
            f"application={application_id} — document held for human review"
        )

    scan = scan_resp.json()
    audit_record["scan_id"] = scan["scan_id"]
    audit_record["scan_score"] = scan["score"]

    if scan["score"] >= GLYPHWARD_THRESHOLD_HR:
        audit_record["scan_status"] = "adversarial_blocked"
        persist_ats_audit_record(audit_record)
        # Alert HR security team; flag candidate/employee account for review
        trigger_hr_security_alert(
            candidate_id, document_type, application_id,
            scan["scan_id"], scan["score"]
        )
        raise ValueError(
            f"Adversarial {document_type} blocked: candidate={candidate_id} "
            f"application={application_id} score={scan['score']} "
            f"scan_id={scan['scan_id']}"
        )

    audit_record["scan_status"] = "clean_passed"
    persist_ats_audit_record(audit_record)
    return audit_record

def persist_ats_audit_record(record: dict):
    # Append to immutable audit log — required for GDPR Article 22
    # and EU AI Act Article 22 compliance evidence.
    # Store alongside the ATS application record; retain per your
    # data retention policy for employment records.
    pass

def trigger_hr_security_alert(
    candidate_id: str, doc_type: str, application_id: str,
    scan_id: str, score: float
):
    # Notify HR security / InfoSec team; consider application review hold.
    pass

Persist every audit_record to an append-only table alongside the ATS application record. The scan_id from Glyphward provides a timestamped cryptographic reference proving that each candidate-submitted image was adversarial-content-checked before any automated screening decision was made — this is the structured evidence required to demonstrate GDPR Article 22 safeguard compliance and to support the EU AI Act Article 15 accuracy and robustness obligations that apply to high-risk AI systems used in employment. For ID document onboarding workflows, attach the audit_record to the HRIS onboarding record and I-9 / right-to-work compliance file. Get early access

Coverage matrix

Mitigation layer Portfolio image AI screening bypass ID document onboarding injection Compensation document injection Performance evidence injection
Resume text parsing and keyword extraction No — operates on text layer of resume; does not process portfolio image content No — text extraction from structured fields; does not detect adversarial pixel-layer content in ID photos No — parses document text; adversarial image payload is not in the extracted text layer No — text-layer extraction only; adversarial payloads in scanned document images are invisible to text parsers
ATS spam and duplicate detection No — detects duplicate applications and spam resumes; does not analyse portfolio image content for adversarial payloads No — deduplication operates on applicant identity metadata; does not scan ID document images for injection No — no applicability to compensation document content analysis No — no applicability to performance evidence document content
Identity document forgery detection No — not applicable to portfolio images Partial — detects forged or tampered ID document structure and security features; does not detect adversarial injection payloads that exploit VLM extraction behaviour rather than altering document structure visibly No No
Glyphward pre-VLM multimodal scan Yes — portfolio image pre-scan; adversarial AI screening bypass blocked before ATS skill assessment runs Yes — ID document image pre-scan; adversarial extraction injection blocked before HRIS population Yes — compensation document pre-scan; adversarial benchmark injection blocked before hiring manager recommendation generated Yes — performance evidence pre-scan; adversarially inflated review inputs blocked before AI performance summary generated

Related questions

Does GDPR Article 22 apply to AI-powered candidate screening using portfolio images?

Yes, where the AI portfolio screening produces a decision or significant effect on the candidate. GDPR Article 22(1) gives data subjects the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. AI-powered ATS shortlisting based on portfolio image analysis — where the automated score determines whether a candidate progresses or is rejected without human review of that specific AI output — triggers Article 22. The data controller must be able to demonstrate that the automated screening is based on accurate input data and that appropriate safeguards are in place. An AI screening pipeline that processes adversarially crafted portfolio images without detection cannot satisfy the accuracy requirement — the decision is based on manipulated input data. Glyphward’s pre-scan audit records (scan ID, timestamp, score per image) provide the structured evidence that each portfolio image was adversarial-content-checked before any screening decision ran. See our full analysis at GDPR Article 22 and multimodal AI automated decisions.

What is the difference between identity document forgery and adversarial ID document injection?

Identity document forgery alters the visible content of an ID document: a forged passport shows a different photo, a different name, or altered security features that a forensic document examiner or a human reviewer cross-checking against the original would detect. Adversarial ID document injection is a different attack class: the submitted document image appears genuine and unmodified to human visual inspection — the genuine passport photo, name, and date of birth are all visible and correct. The adversarial payload is embedded in the image at a pixel level that is imperceptible to human review but detectable and actionable by the VLM extraction model. When the VLM processes the image, the adversarial payload causes the extraction to return false values — an altered name, a changed nationality, a modified date of birth — that enter the HRIS as the extraction output. The human who reviewed the submitted document image saw the genuine document; the HRIS record reflects the adversarially extracted values. Standard identity document forgery detection (document structure validation, security feature analysis, MRZ checksum verification) does not detect this attack class because it operates on the visible document content, which is genuine. Adversarial image detection — which Glyphward provides — is the only control that catches injection payloads at the pixel layer before VLM extraction runs.

How do candidates actually embed adversarial payloads in portfolio images?

Adversarial image payloads for VLM prompt injection do not require deep technical expertise to produce — and the public availability of multimodal models for testing makes the technique increasingly accessible. The most common methods fall into three categories. First, typographic injection: text with adversarial instruction content is rendered directly onto the portfolio image at very low opacity (near-invisible to human viewers at normal viewing conditions) or in a region of the image with high visual complexity that masks the text. A gradient background, a textured design element, or a busy photograph provides camouflage. Second, steganographic encoding: pixel-level modifications that encode instruction content in the image’s colour channel values at a perturbation magnitude below the threshold of human perceptibility but above the threshold required for VLM detection. These modifications are computationally generated using optimisation against a target VLM. Third, structure injection in multi-page PDF portfolios: instruction text embedded in a PDF layer that is not rendered in the visual page preview but is included in the image data passed to the VLM when the PDF page is rasterised for processing. All three methods produce portfolio images that look genuine to a hiring manager reviewing the submission; all three are detectable by Glyphward’s pre-VLM scan before the image reaches the ATS AI pipeline.

Which HR AI platforms are most exposed to this attack surface?

Exposure correlates with two factors: whether the platform processes candidate-submitted images through a VLM or AI extraction pipeline, and whether the platform applies automated screening decisions (shortlisting, scoring, or progression) based on those AI outputs without a mandatory human review gate per image. On that basis, the highest-exposure platforms are those with AI-native screening features that process portfolio or document images at scale: Eightfold AI and Phenom People use AI talent intelligence across the full candidate journey including skills inference from submitted materials; LinkedIn Talent Hub AI processes rich candidate profiles including portfolio content submitted through LinkedIn; Workday AI applies intelligent screening to ATS workflows that may include document attachments; Greenhouse and Lever AI integrate with third-party AI screening tools that process candidate submissions including portfolio attachments; iCIMS and SmartRecruiters marketplace integrations expose document processing surfaces through connected AI tools. Remote onboarding identity verification platforms (Onfido, Jumio, and HRIS-integrated identity verification in Workday and SAP SuccessFactors) are specifically exposed to the ID document injection surface. Integrating the Glyphward scan gate at the document upload API layer — before any attachment reaches the downstream ATS or HRIS processing pipeline — addresses exposure across all of these platforms regardless of which AI features they apply downstream.

Further reading