Vetting household staff, vendors, and personal assistants: due diligence beyond a background check

At a glance

• Background checks show the tip of the iceberg. Lifestyle patterns, digital behavior, past disputes, and references tell more of the story.
• Household staff and vendors often have access that no corporate employee would ever receive. The vetting should reflect that.
• Vetting is a process, not an event. Periodic refresh and monitoring catch issues that were not visible at hire.
• The best outcome is a trusted household where vetting feels respectful and routine, not suspicious or theatrical.

Why background checks alone are not enough

Background checks do three things well. They surface known criminal records within available jurisdictions, confirm basic identity, and verify specific claims such as education or past employment. They do not do many other things that matter for a high-profile household.

What a typical background check does not show:

• Current financial stress or significant life pressures
• Past litigation that did not result in convictions
• Patterns of civil disputes, evictions, or non-payment
• Social media behavior and publicly expressed attitudes
• Reputation among prior employers, beyond official confirmations
• Indicators of past or current addiction or coercion
• Associations with problematic individuals or organizations
• Digital footprint that suggests risk, for example dark web chatter or leaked credentials
• Interview behavior under pressure or under conflicting incentives

Some of these gaps are legal limitations. Others are structural. A principal who relies on a one-time check and a handshake is making a bet that the check captured everything that mattered. In practice, it rarely does.

The risk surfaces household staff and vendors sit on

Household staff and vendors typically sit on several risk surfaces at once.

• Physical access. Keys, codes, biometric enrollments, vehicle access, and routine entry to private spaces.
• Informational access. Calendars, schedules, names, phone numbers, photos, and the day-to-day texture of family life.
• Financial access. Corporate cards, household accounts, petty cash, vendor invoicing, and in some cases, signatory authority.
• Technological access. Devices, home networks, smart home systems, shared accounts, and in some cases, personal devices used for household work.
• Relational access. Trust-based relationships with children, spouses, other staff, and the principal's extended circle.

The risk is rarely dramatic. It is the aggregation. A staff member with full household access and modest discipline can produce more exposure over time than a fortunately rare malicious actor.

A layered approach to vetting

A layered approach to vetting treats the background check as a foundation and builds upward.

• Layer 1: Foundational background check. Identity confirmation, criminal history in available jurisdictions, employment verification, and credential verification.
• Layer 2: Civil and litigation history. Relevant civil matters, regulatory findings, and patterns of disputes.
• Layer 3: Financial posture. Where permissible, financial stress indicators, credit history, and historical bankruptcies or liens.
• Layer 4: Digital due diligence. Social media review, public online behavior, leaked credentials, and OSINT-derived exposures.
• Layer 5: Reference and reputation checks. Structured conversations with prior employers, colleagues, and where appropriate, industry contacts.
• Layer 6: Interview rigor. Scenario-based interviewing, pressure testing, and evaluation of judgment under realistic conditions.
• Layer 7: Ongoing monitoring. Periodic rechecks, credential monitoring, and alerts for publicly visible signals.

The depth of the layers depends on role. A full-time principal driver or estate manager typically warrants the deepest vetting. A one-time trade contractor can usually stop at foundational layers unless access is deep. A structured Vendor and Staff Vetting program is designed exactly around this layering.

Pre-hire due diligence for household staff

Pre-hire due diligence focuses on building a clear picture of the candidate before the offer, not on trying to salvage clarity afterward.

Clarify the role and access

Before vetting begins, write down what access the role involves. Keys, codes, vehicles, children, calendars, devices, and financial authority. The depth of the vet should match the depth of the access, not the title.

Collect authorizations carefully

Every layer of vetting is subject to legal and compliance requirements. Candidates should be given clear written disclosures, and consent should be collected where required. Counsel should advise on jurisdictional requirements for screening household employees.

Verify identity thoroughly

Identity confirmation is the bedrock of every other layer. Pay attention to small inconsistencies, names on different documents, date-of-birth variations, and addresses that do not match typical patterns.

Execute the background check

Engage a reputable screening provider. Ensure jurisdictional coverage aligned to where the candidate has lived and worked. Specific attention to sex offender registries, domestic violence records, and driving history is usually warranted for household roles.

Expand into civil and regulatory history

Civil matters often reveal patterns that criminal checks do not capture. Regulatory findings in financial or licensed industries can also be meaningful, particularly for assistants with financial authority.

Review financial posture, where permissible

Where permissible, a review of financial stress indicators can be informative, particularly for roles that touch money. Coercion risks often correlate with acute financial stress.

Conduct structured reference checks

Reference checks should be structured. Open-ended prompts often produce more useful information than checklist questions. Ask about judgment under pressure, past conflicts, and reasons for leaving previous roles.

Evaluate in realistic interviews

For high-trust roles, interviews should include realistic scenarios. How would the candidate handle an unexpected call to the principal's private number, a pushy vendor at the gate, a conflicting instruction from a spouse, or a request that feels unusual.

Confirm working references from the principal's circle

Where appropriate, the principal's circle may have relevant references, peers who have employed the candidate, or advisors who know them by reputation. A small number of trusted references can corroborate or complicate a candidate's narrative.

Digital due diligence beyond the criminal search

Digital due diligence is often the layer that distinguishes a thorough vet from a perfunctory one. Candidates increasingly have public digital footprints that reveal judgment, associations, and risk.

Social media and public profiles

A structured social media review is common in executive hiring and has growing relevance for household staff. The goal is not to penalize personal views. It is to surface patterns that could create risk, disclosure of confidential details about prior employers, associations with hostile groups, patterns of harassment, or indications of substance-related issues.

Public forums and community activity

Many people maintain online identities adjacent to their legal name. Pseudonymous activity cannot always be conclusively linked, but patterns, shared email addresses, public handles, reused usernames, can create reasonable associations in a structured review.

Breach and credential exposure

A candidate who appears in multiple breaches with credentials reused across systems is a compliance question for later, but it is also a signal about habits. Awareness informs training and access decisions.

Dark web chatter and sensitive mentions

In rare cases, candidates appear in sensitive dark web contexts. A screening program that includes Breach and Dark Web Tracking awareness can surface these signals before they become issues.

OSINT assembly

The same methods attackers use to map a principal can be applied in a structured way to a candidate. Public records, property information, and litigation databases can add context that an interview alone would not produce.

Documentation and bias control

Digital due diligence requires documentation of criteria, consistent methods across candidates, and a deliberate approach to legal compliance. Counsel should advise on what may be considered in hiring decisions in the relevant jurisdictions.

Vetting vendors and contractors

Vendors and contractors sit on different access surfaces than household employees but often carry comparable risk. A structured vendor vetting model tends to prevent more problems than it causes.

Tier vendors by access

Separate vendors into tiers based on access depth. Tier 1 might be a full-time nanny or estate manager, Tier 2 a weekly cleaner with keys, Tier 3 an occasional trade contractor. Vet depth should map to tier.

Confirm business legitimacy

For Tier 1 and Tier 2 vendors, confirm business registration, insurance, bonding, and licensing where applicable. Many household losses trace back to vendors whose business status was casually assumed rather than verified.

Vet individual workers, not only the company

A company can be vetted, then send employees who have not been. For recurring access, vet the individuals who will actually be on site, not only the owner of the business.

Insurance and bonding

Insurance and bonding do not prevent incidents, but they shape who bears consequences if something goes wrong. Confirm coverage that is appropriate to access depth.

Access agreements

Written agreements covering confidentiality, access boundaries, and conduct expectations are normal and reasonable for Tier 1 and Tier 2 vendors. Many principals underuse this tool.

Payment controls

Payment changes should never be accepted on the strength of an email alone. This simple rule, combined with callback verification on a known number, prevents a large portion of wire fraud and business email compromise attempts involving vendors.

Turnover and access removal

Vendor turnover is routine. Access removal often is not. Keys, codes, and credentials should be rotated on a documented cadence, not on an ad hoc basis.

Coordination with household

Household staff and vendors interact. Household staff should understand the vendor onboarding process, how to confirm identity at the gate, and how to handle unexpected arrivals. A VIP Family Risk Protection program typically reinforces these interactions.

Ongoing monitoring and periodic reviews

Vetting at hire is necessary but not sufficient. People's circumstances change, and a person who was low risk at hire can become higher risk over time, or the reverse.

Annual recheck

Most high-trust household roles warrant an annual recheck. A lighter version of the original vet, focused on new civil or criminal matters, current social media, and financial stress indicators.

Event-driven review

Life events, moves, divorces, legal disputes, deaths in family, significant medical events, can shift risk. A discreet review during a known event window is often appropriate.

Credential and breach monitoring

Ongoing Breach and Dark Web Tracking for staff emails and credentials can catch exposures that ripple into household systems. Alerts can trigger rotation and communication with the staff member.

Behavior observation

Chiefs of staff and family office leads should be attuned to behavioral patterns, unusual purchases, conversations that feel rehearsed, or withdrawal from long-standing relationships. These are not proof of anything, but they are signals that merit quiet attention.

Confidential reporting

A household benefits from a confidential channel where staff can raise concerns about each other without fear. Many issues are visible to peers long before they reach the principal.

Annual refresh of access

On a defined cadence, physical and digital access should be audited and rotated. Old keys, old codes, and old credentials are common sources of unexpected exposure. An Ongoing Monitoring Retainer provides the standing capacity to keep this discipline in place.

Access design that reduces how much vetting matters

The best vetting program is one that pairs with an access design that limits the blast radius of any single staff member's actions.

Role-specific access

Each role should have access appropriate to its function, no more. A cleaner does not need access to the principal's home office. A driver does not need access to children's rooms. Enforce role-based access by habit and by infrastructure.

Segmented credentials

Shared household accounts invite trouble. Where possible, credentials should be per-role and rotated on turnover. Password managers with staff-specific vaults can simplify this substantially.

Segmented networks

Staff devices and smart home systems should sit on segmented networks. A compromised staff device should not open a path to family devices.

Logged access where appropriate

Home access systems with logging make it simpler to reconstruct events. Logs should be reviewed periodically, not only after incidents.

Cash and payment discipline

Petty cash and corporate cards should have clear limits, documented approvals, and routine reconciliation. Many small losses compound quietly without this discipline.

Device issuance

Where staff use household devices, those devices should be issued, not BYOD, for sensitive work. Issued devices make it easier to rotate, inventory, and recover access. A periodic Executive privacy audit can confirm that this design is holding up over time.

A simple scoring model for staff and vendor exposure

Score each dimension 1 to 5. Total to 20. Higher scores indicate areas that should concentrate attention.

• Access depth (1 to 5): how deep the role's access is into physical spaces, information, finances, and devices.
• Tenure turnover (1 to 5): how frequently the role turns over, or how long tenured staff have gone without a vetting refresh.
• Information sensitivity (1 to 5): how much sensitive information the role interacts with, from family calendars to financial matters.
• Vetting recency (1 to 5): invert this score. Recent, thorough vetting reduces net risk. Outdated or shallow vetting raises it.

Scores of 16 to 20 justify an immediate review through Vendor and Staff Vetting and Corporate Investigations. Middle scores suggest a refresh. Lower scores can often be managed with a periodic check-in.

What good looks like

A mature household vetting program feels respectful and routine, not theatrical or suspicious. Staff understand the posture and, in our experience, often prefer it, because it professionalizes the environment.

Deliverables

• A tiered role definition tied to access depth
• A standard vetting package for each tier, documented and consistent
• An annual recheck cadence and log
• A vendor tiering model with associated vetting requirements
• An access and credential rotation schedule
• A reporting channel for staff concerns
• An integrated monitoring plan for credentials and sensitive signals

Cadence

• Pre-hire: full tiered vetting, structured interviews, references
• Onboarding: documented access issuance and training
• Quarterly operations: access audit and monitoring review
• Annual refresh: structured recheck and documented updates
• Event-driven review: discreet additional review during known life events or anomalies

Ownership

• Principal sponsor: sets tone and tolerance
• Chief of staff or family office lead: owns the program
• Security lead: owns threat and access posture
• Legal counsel: advises on compliance and documentation
• HR partner: supports hiring and employment matters

Monitoring

• Breach and Dark Web Tracking for staff credentials
• Ongoing Monitoring Retainers to integrate signals across the household
• Corporate Investigations support when specific concerns need structured inquiry

Common mistakes

Household vetting tends to go sideways in predictable ways.

Confusing a check with due diligence

A check is data. Due diligence is judgment applied to data. A household that relies on the check alone, without structured review, is effectively betting on the provider's default coverage.

Skipping the vendor individuals

Vetting the business and not the individual produces false confidence. The person in the home matters more than the company on the invoice.

Treating vetting as one-and-done

People change. Circumstances change. An annual recheck costs little and catches things a one-time vet cannot.

Letting access creep silently

Staff who have been around for years often accumulate access that no longer matches their role. A periodic access audit keeps this in check.

Ignoring digital signals

Social media, breach exposure, and OSINT are part of modern vetting. A program that skips them is missing a layer that attackers routinely mine.

Failing to document

Vetting records have evidentiary value if anything later goes wrong. Written records, stored securely, protect the household and the staff member.

Over-vetting low-risk roles

Depth should map to access. A one-time landscaper does not need the same vet as a live-in nanny. Over-vetting low-risk roles wastes effort and can create friction. Where reputational risk surfaces during a vet, coordinated Online Reputation Management can address it discreetly.

Illustrative patterns drawn from practice

These composite scenarios help illustrate the range of outcomes that thorough vetting produces.

The nanny who was not the risk

A principal's household is vetting a candidate for a live-in nanny role. The candidate clears a standard background check cleanly. A deeper vet surfaces several civil matters, minor but suggestive, from prior employers. Structured reference conversations reveal a pattern of friction that would likely have recurred. The household passes on the candidate without hard feelings, and the right person is hired the following month. The vet did not uncover drama. It uncovered fit.

The vendor hiring a new installer

A longstanding home systems integrator is acquired by a larger firm. Under the new ownership, installers rotate. The household's access agreement holds, but a disciplined quarterly review catches that a newly assigned installer has not been individually vetted. A conversation with the integrator produces a refreshed workflow. No incident occurs. The close call is typical of how vendor-based exposure tends to arrive, through drift rather than intent.

The longstanding assistant

An assistant of seven years faces an unexpected personal crisis. A discreet, supportive conversation surfaces the pressure. Access is adjusted temporarily without being revoked. The assistant is grateful, the principal is supportive, and the household handles the situation with dignity. A vetting program is not only a risk control. It is a framework for maintaining trust under real-world conditions.

The rogue contractor

A one-time contractor on a renovation project is discovered to have attempted to photograph interior documents on a cellphone. Because the contractor was escorted and logs were kept, the incident is identified quickly. The contractor is terminated. Counsel is engaged. The incident is contained. Preparedness, not paranoia, is the reason the outcome is limited.

A sample tiered vetting framework

An illustrative framework helps make the approach concrete.

• Tier 1, deep access (nanny, estate manager, house manager, principal driver): full background, civil and regulatory, financial posture where permissible, structured interviews, digital review, references at multiple levels, annual recheck, periodic event-driven review.
• Tier 2, regular access (weekly cleaners, longstanding contractors, regular caterers, security staff): full background, civil where relevant, structured references, digital review at lighter depth, annual recheck.
• Tier 3, intermittent access (trade contractors, event vendors, one-time service providers): foundational background, identity confirmation, vendor business verification, vendor access agreement, escorted access where appropriate.

This framework is illustrative, not prescriptive. The right tiering depends on the household, the principal's exposure, and the specifics of each role. The value is in doing the tiering deliberately, not in adopting a specific template. A coordinated Digital Executive Protection program ties the tiering to the rest of the household's risk posture.

Coordinating with hiring managers and recruiters

In many households, recruiters or placement agencies play a role in sourcing staff. A few coordination principles help.

• Standardize the vetting package. Provide recruiters with a clear vetting expectation. Consistency across candidates prevents uneven outcomes.
• Coordinate on disclosures. Candidates should know, up front, what the vetting includes. This is both a compliance and a cultural requirement.
• Use recruiters thoughtfully. Recruiters are useful for sourcing. They are rarely the right party to perform the actual vet. Keep vetting under the principal's control.
• Document each round. Maintain a paper trail, stored securely, of interviews, vets, and decisions. Future reference is often worth the small upfront effort.

Work with Biscayne Secure

Vetting household staff, vendors, and personal assistants is a quiet, ongoing responsibility. Done well, it produces a household that feels steady and professional. Done poorly, it invites preventable exposures that tend to surface at inconvenient times.

Biscayne Secure supports principals and family offices with Vendor and Staff Vetting, Corporate Investigations, Breach and Dark Web Tracking, Digital Executive Protection, VIP Family Risk Protection, Executive privacy audits, and Ongoing Monitoring Retainers. Where reputational issues surface during a vet, Online Reputation Management can address them discreetly. Programs are designed to be consistent across roles, respectful to staff, and integrated with the broader security posture. The goal is a household that is both pleasant to work in and difficult to harm.