An observed identity sends or opens work-related files using personal email or cloud storage accounts. This bypasses enterprise data governance and may violate compliance policies.

An observed identity links enterprise data to personal file sync or backup services, creating unmanaged data replicas outside corporate control and increasing risk of data leakage and loss of governance

An observed identity installs consumer-grade backup software on corporate endpoints, duplicating sensitive files to unapproved destinations.

An observed identity interacts with AI assistants using company-sensitive input, potentially disclosing proprietary or regulated data to services outside organizational control.

An observed identity accesses enterprise cloud applications from personal or non-compliant devices without endpoint protections. This increases the chance of malware infection or credential theft.

An observed identity accesses enterprise systems with personal credentials instead of corporate identities, weakening access controls and audit trails.

An observed identity account is accessed from multiple distant locations in a short timeframe, which may suggest credential compromise.

An observed identity accesses cloud services using credentials that should have been rotated or deactivated, indicating poor credential hygiene.

An observed identity accesses enterprise applications directly using credentials, bypassing SSO and associated controls like MFA or logging.

An observed identity shares internal files or folders using unrestricted public links. This makes sensitive content accessible to anyone with the link, often unintentionally.

An observed identity configures shared files or folders to allow broad or public access, whether intentionally or by default. This creates risk of unauthorized data access.

An observed identity places plaintext passwords or keys into cloud storage locations accessible by others, exposing the credentials to theft.

An observed identity configures cloud storage containers to allow public access without authentication, whether intentionally or by mistake.

An observed identity grants long-term access to enterprise data via OAuth or API permissions to third-party apps or extensions. These tools may retain access even after user offboarding.

An observed identity approves data access by unknown or suspicious third-party applications via OAuth integrations, potentially exposing enterprise content.

An observed identity adds extensions from unofficial sources or developers to their browser. These tools may have access to sensitive web session data or cloud content.

An observed identity downloads executable files from websites with poor or no reputation, increasing the likelihood of malware infection.

An observed identity clicks on shortened or obfuscated links received from untrusted sources. These links often lead to phishing or malware-hosting sites.

An observed identity bypasses warnings related to expired or untrusted SSL certificates, suggesting a pattern of risky web behavior.

An observed identity accesses login pages or apps without HTTPS, exposing authentication or session data to interception.

An observed identity accesses key systems using outdated or unsupported web browsers, which may lack modern security controls or policy enforcement capabilities.

An observed identity operates browsers that lack the latest security patches or standards, increasing exposure to known vulnerabilities.

An observed identity interacts with web applications secured by outdated or invalid SSL/TLS certificates. This behavior reduces secure communication guarantees.

An observed identity logs into cloud applications from countries or regions known for high cyber risk. This may indicate account compromise or attempts to bypass geo-based controls.

An observed identity uses consumer VPNs, proxies, or anonymizers to hide their location or bypass organizational access restrictions.

An observed identity initiates actions to increase their privileges or admin rights within cloud services, possibly indicating malicious intent or misunderstanding of policy.

An observed identity transfers corporate data into non-approved cloud applications or personal services, bypassing sanctioned tools. This can lead to data loss or leakage through shadow IT.

An observed identity logs in to cloud platforms using root or master accounts instead of delegated roles. This bypasses auditing and increases the impact of mistakes or compromise.

An observed identity posts scripts or source code to public code-hosting services not approved by the organization, potentially leaking intellectual property.

An observed identity consistently accesses cloud services from devices enrolled in enterprise controls.

An observed identity flags suspected phishing messages promptly without interacting with malicious links.

An observed identity reliably saves sensitive files in sanctioned storage systems with appropriate access controls.

An observed identity configures links with least-privilege settings when sharing documents.

An observed identity refrains from installing unvetted or risky browser plugins.

An observed identity stores credentials securely and always uses MFA where supported.

An observed identity actively terminates web sessions instead of relying on idle timeouts.

An observed identity habitually inspects links before engaging, reducing the likelihood of phishing success.

An observed identity doesn’t trigger frequent access-denied events, suggesting strong awareness of access boundaries.