TL;DR: Employee exit risk often begins weeks before HR notice, because job-search behaviour, client lookups, and unusual self-email patterns can reveal intent before files leave the organisation, according to Gurucul. The real failure is assuming resignation is the trigger, when the governance gap is behavioural blindness.
At a glance
What this is: This is an insider-threat analysis arguing that the risky window begins before resignation notice, and that behavioural signals reveal exfiltration intent earlier than HR-driven monitoring.
Why it matters: It matters because IAM, PAM, and monitoring teams need to govern access and behaviour before a leaver event is formally recorded, especially where sensitive data can be moved through legitimate accounts.
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
👉 Read Gurucul's analysis of pre-notice insider threat behavior and flight risk
Context
Insider-threat programmes fail when they wait for a formal resignation event before treating an account as high risk. In this article, the primary governance problem is behavioural blindness: access remains legitimate, but intent shifts long before HR or security receives a departure signal.
For IAM and monitoring teams, the relevant question is not whether an employee is leaving, but whether their activity sequence shows preparation for exfiltration while access is still active. That is a lifecycle problem, a detection problem, and a privilege-management problem at the same time.
Key questions
Q: How should organisations detect insider threats before an employee resigns?
A: Organisations should watch for sequences, not single events. Job-site access, unusual file lookups, self-emailing, and contact harvesting can combine into a pre-notice exfiltration pattern while the account still appears legitimate. The safest approach is identity-based correlation across systems so analysts can see intent drift before data loss becomes visible.
Q: Why do insider-risk programmes fail when they rely on HR notice dates?
A: They fail because HR notice arrives after the behaviour that matters has often already started. People can prepare for departure for days or weeks while still looking like normal users. If the programme waits for the resignation event, it loses the window where detection can still stop exfiltration.
Q: What behaviour patterns should trigger insider-risk review?
A: Look for combinations such as job-search activity, atypical client or repository access, repeated self-emailing, and movement toward personal storage. Any one signal may be benign, but the pattern across time can show preparation for removal of information. Behavioural context is what separates noise from risk.
Q: Who should be accountable when pre-notice exfiltration occurs?
A: Accountability should sit across security, IAM, HR, and the business owner of the data. HR supplies the lifecycle signal, IAM controls access, and security detects behavioural drift. If one team owns the problem alone, the organisation will usually discover the issue only after the data has already moved.
Technical breakdown
Notice period fallacy in insider risk monitoring
The notice period fallacy is the assumption that departure risk begins when HR records a resignation. In practice, people often search for jobs, collect contacts, and move files before notice, while still appearing ordinary in isolation. Behavioural analytics matters because the sequence of actions creates context that a single event cannot. A resume upload, atypical system access, and personal-email activity can combine into a coherent intent chain. Static SIEM rules miss this because they are built for discrete alerts, not behavioural progression.
Practical implication: tie insider-risk escalation to behaviour sequences, not to HR departure status.
Identity-centric normalisation for user behaviour
Identity-centric normalisation connects activity across web, email, endpoint, and data systems into one timeline for a specific user. That matters because exfiltration rarely happens in one tool. A recruiter search, client list lookup, and self-email may each be low confidence alone, but together they show a pattern. Model-driven security scores that timeline against peer baselines, letting analysts see deviation rather than raw noise. The architecture is less about one magical alert and more about stitching signals into an investigation-ready narrative.
Practical implication: correlate logs by identity across systems before attempting insider-risk triage.
Behavioural indicators versus rule-based alerts
Rule-based detection looks for known bad actions, such as mass download thresholds or blocked destinations. Behavioural detection looks for intent drift, meaning the user’s actions start to resemble departure preparation rather than normal work. This includes job-site access, unusual contact harvesting, and personal account forwarding. The technical difference is important: rules answer whether a policy was broken, while behavioural models answer whether a person is moving toward loss even though each action still appears allowed.
Practical implication: supplement policy alerts with models that score intent drift over time.
Threat narrative
Attacker objective: The objective is to extract valuable business data or client relationships before the organisation can react to the departure.
- Entry occurs through ordinary, legitimate employee access that is already trusted by default.
- Credential or account abuse is not the primary issue here; the abusive step is the gradual misuse of valid access to collect contact data, browse job sites, and prepare exfiltration.
- Escalation happens as low-signal actions accumulate into a coherent departure pattern that static controls do not flag.
- Impact is data theft before formal notice, with client lists, source code, or strategic plans leaving through normal channels.
Breaches seen in the wild
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Behavioural blindness is the real insider-risk failure, not employee resignation. Legacy IRM often assumes the departure event is the risk trigger, but the risky behaviour usually starts earlier and looks ordinary in isolation. That means the governance model is built around HR latency instead of identity behaviour. The practitioner implication is that insider-risk programmes must treat pre-notice activity as first-class risk, not background noise.
Notice-period monitoring is a lifecycle control problem disguised as a detection problem. If access is only reviewed after HR marks someone as leaving, the organisation has already accepted a delay that adversaries can use. This is especially true when privileged data access remains unchanged while intent shifts. The implication is that access governance, user-behaviour analytics, and leaver workflows need one shared view of the same identity timeline.
Identity-centric normalisation turns scattered events into an exfiltration narrative. A resume upload, client searches, and self-email only become meaningful when linked to one identity across systems. That is why behavioural correlation is more valuable than isolated alerts for insider risk. The practitioner implication is clear: treat the identity timeline as the unit of analysis, not the individual log event.
Pre-departure exfiltration is a standing privilege abuse pattern, even when the account is not elevated. Insider risk does not require a compromised credential when a trusted user can already reach sensitive data. The weakness is not just missing alerts, but excessive access that remains valid through the full departure window. The implication is that privilege scope and behavioural monitoring must be reviewed together, before the leaver state is formally declared.
From our research:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- That lifecycle gap is why practitioners should also use NHI Lifecycle Management Guide to tighten provisioning, rotation, and offboarding controls.
What this signals
Notice-period blindness: security teams should treat the HR leaver signal as a late-stage workflow marker, not as the start of insider-risk analysis. The programme gap is that most organisations still separate user lifecycle from behavioural detection, even though the same identity can become high risk before notice and remain active throughout the departure window.
With 72% of organisations having experienced or suspect they have experienced a breach of non-human identities, identity risk is increasingly a lifecycle discipline rather than a pure detection discipline. The same lesson applies here: timing, privilege scope, and behavioural context must be managed together, not handed off between teams.
Teams that already map access review, leaver workflow, and privileged access management to Ultimate Guide to NHIs , Key Challenges and Risks can extend that thinking to insider-risk cases where the user is still employed but functionally preparing to exit. The operative question becomes whether your controls see identity change before the business does.
For practitioners
- Shift insider-risk triggers to behavioural sequences Escalate when job-site browsing, unusual client lookups, and personal-email activity appear in the same identity timeline, even if each event is individually allowed.
- Correlate logs by identity across systems Build a single investigation view that joins web, endpoint, data, and email activity for one user so analysts can see pre-notice behaviour as a sequence.
- Review sensitive access before HR notice Run periodic checks on users with access to client lists, source code, and strategic plans, because exit-related misuse often starts before formal resignation.
- Separate trusted-user status from low-risk status Do not let employment status override behavioural evidence. A user can be fully employed and still show a departure pattern that warrants containment.
Key takeaways
- The core insider-threat risk is pre-notice behaviour, not the resignation event itself.
- Behavioural correlation across systems is what turns noisy activity into a credible exfiltration pattern.
- Programs that align lifecycle controls with identity telemetry are far better positioned to stop loss before it starts.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Least-privilege and access oversight matter when trusted users shift toward exfiltration. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust requires continuous verification when user intent changes before HR notice. |
| NIST SP 800-63 | Identity assurance matters when deciding whether a user remains trustworthy as behaviour changes. |
Use identity assurance and reauthentication signals to support higher-friction access for risky user states.
Key terms
- Notice Period Fallacy: The mistaken belief that insider risk begins when HR records a resignation. In practice, risky behaviour often starts earlier, while the employee still appears normal. The control problem is not the departure date itself, but the delay between intent forming and security noticing.
- Behavioural Indicator: A behavioural indicator is a low-level action that becomes meaningful only when combined with other actions over time. Examples include job-site browsing, unusual file access, or self-emailing. For insider risk, these signals matter because they reveal intent drift before a policy breach is obvious.
- Identity-Centric Normalisation: Identity-centric normalisation is the process of linking activity from multiple systems to one person or account so analysts can see the full sequence of events. It turns scattered logs into a coherent timeline, which is essential when the risk is spread across tools rather than concentrated in one alert.
- Pre-Departure Exfiltration: Pre-departure exfiltration is the removal of data before an employee formally exits, often while access is still legitimate. It is especially difficult to detect because the actor has not yet crossed the obvious lifecycle boundary, so the behaviour can look like routine work until the loss is already underway.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- The behavioural indicators Gurucul maps into its flight-risk watchlist logic across web, email, and data access signals.
- The mechanics of its unified risk scoring and how activity is normalised into a single identity timeline.
- The sequence of resume upload, client lookup, and self-email events used in the fictional Ken Winston scenario.
- The claimed investigation workflow that turns predicted intent into a decision-ready case for security or HR.
👉 Gurucul's full blog covers the Ken Winston scenario, behavioral scoring, and investigation workflow.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-01-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org