Insider threat programs fail because they start with the wrong premise. The dominant mental model — a disgruntled employee stealing secrets — is cinematic and rare. The boring truth is that most insider incidents are not malice. They are privilege sprawl, sloppy offboarding, and senior leaders who refuse to live by the controls they signed off on.

If you name that honestly, the program changes. You stop buying $400k UEBA platforms to chase a villain that is not there, and you start fixing the three unglamorous things that cause actual losses.

Offboarding is where most of the damage lives

I have reviewed post-incident reports where a terminated employee still had VPN access six months later, an SSH key on production, or a personal GitHub account that retained write access to a private repo via an OAuth app nobody revoked. None of this required malice. It required a Tuesday.

Practical offboarding is unsexy:

  • HR termination event triggers IdP disablement within minutes, not by a ticket in a queue.
  • Audit trail for every SaaS, every shared vault, every API key tied to the departing person.
  • Break-glass review of any admin or developer role: what did they touch in the last 90 days, and what survives them?
  • Contractor and third-party accounts get the same treatment. These are the accounts that age out worst.

Least privilege as reality, not policy

Every policy document I have read claims least privilege. Every access review I have run has found a finance analyst with read access to HR data, a developer with production database credentials from a 2021 incident response, and a service account in Domain Admins because "it was easier."

Privilege sprawl is the actual insider risk. The fix is mechanical:

  • Quarterly access reviews that managers sign, not rubber-stamp. Tie revocations to a deadline.
  • Just-in-time elevation for admin roles, not standing access. PIM on Entra, sudo with approval, or equivalent.
  • Separation of duty for anything that touches money or customer data. One human should not be able to change a bank account and approve the change.

The behavioral indicators that actually matter

Most UEBA vendor demos show you alerts on "unusual login time" and "anomalous file access volume." In real environments those fire constantly and nobody acts on them. The indicators that correlate with real insider incidents are more prosaic:

  • Staged data in unusual locations — a sudden archive on a personal OneDrive, a zip file on a USB.
  • Repeated failed attempts to access systems outside the user's normal scope.
  • HR signals: resignation notice, performance improvement plan, visa or immigration change, internal transfer refused.
  • Sysadmins disabling their own logging or making changes outside change windows.

UEBA is useful when it is tuned to these, integrated with HR signals, and reviewed by a human who knows the business. Deployed without that, it is an expensive noise generator.

The riskiest insider in most companies is not an analyst with a grudge. It is an executive who refuses to use MFA and has a laptop full of board material.

The executive insider problem

VIP exceptions are where insider programs die. The CEO who forwards email to a personal Gmail, the CFO who shares a password with an assistant, the board member who uses a personal device to review the M&A deck — these are the highest-impact insider risks in any mid-market or enterprise org. Naming this out loud, and getting executive sponsorship to not exempt executives, is the hardest and most valuable work in the program.

The takeaway

Before you buy an insider threat platform, close three things: terminations that do not propagate in minutes, access reviews that nobody really does, and VIP exceptions to your own controls. If you do those well, you have solved most insider risk. If you do not, no tool will save you.