An observed identity sends company source code to external AI services not sanctioned by policy. This exposes intellectual property to third parties, increases the risk of unintended data leakage, and bypasses approved code security processes.

An observed identity connects to unapproved cloud storage platforms. This creates unmanaged data repositories outside enterprise visibility, increasing the likelihood of data sprawl and unmonitored leakage of sensitive files.

An observed identity uploads confidential or proprietary data to personal cloud accounts. Such behavior circumvents enterprise data controls and creates a high risk of data exfiltration, loss of ownership, and regulatory compliance issues.

An observed identity browses to domains with little reputation history or flagged as suspicious by threat intelligence. This increases the chance of exposure to phishing, malware, or adversary-controlled infrastructure.

An observed identity installs browser extensions with known security flaws. These plugins can act as attack vectors, enabling data theft, content injection, or interception of browsing activity.

An observed identity attempts to bypass enterprise network routing through proxies or VPNs. This reduces monitoring effectiveness, hides activity from defenders, and provides potential channels for unmonitored data transfer.

An observed identity attempts to access websites explicitly blocked by enterprise policy. Such attempts may indicate intentional circumvention of security rules or risky browsing habits that expose the organization to unsafe content.

An observed identity visits websites confirmed to distribute malware or host phishing pages. These connections create immediate exposure to endpoint compromise and credential theft.

An observed identity attempts to visit websites flagged by enterprise policy due to their risk category or inappropriate content. Such activity increases potential legal, reputational, or security risks.

An observed identity visits websites categorized as AI tools. While not inherently malicious, this may raise concerns about unmonitored use of AI platforms and possible exposure of sensitive data.

An observed identity accesses social media platforms with unusual frequency. Excessive use may indicate non-business activity, loss of productivity, or exposure to social engineering threats.

An observed identity visits websites categorized as risky by enterprise or industry intelligence. Accessing such sites elevates exposure to malicious content or non-compliant business activity.

An observed identity attempts to connect to restricted websites but is blocked by enterprise controls. Although blocked, such attempts may reflect risky intent or disregard for policy.

An observed identity repeatedly uses SaaS platforms unrelated to business needs. This increases the surface area for data mismanagement and introduces risks of shadow IT.

An observed identity uploads unusually high volumes of files to cloud applications. Such behavior may indicate intentional data exfiltration or automated bulk transfers outside business norms.

An observed identity signs into corporate applications from devices or locations that are not pre-approved. This activity increases the risk of unauthorized access, compromised endpoints, or geolocation-based attacks.

An observed identity adopts multiple SaaS tools that provide overlapping functions. This behavior increases data fragmentation, weakens governance, and raises the risk of unmanaged data exposure.

An observed identity accesses SaaS platforms directly without using corporate SSO. This bypass reduces visibility into authentication events and undermines centralized identity controls.

An observed identity consistently accesses SaaS applications only through corporate SSO. This behavior reinforces centralized identity protections and reduces opportunities for credential misuse.

An observed identity limits SaaS usage exclusively to enterprise-approved platforms. This demonstrates compliance with policy and minimizes risks of shadow IT or unvetted applications.

An observed identity reports browser pop-ups, redirects, or other suspicious web activity to security teams. This vigilance supports faster detection and containment of potential threats.

An observed identity flags unfamiliar SaaS applications in use within the environment. Such reporting helps security teams identify shadow IT and mitigate risks tied to unauthorized tools.

An observed identity frequently accesses internal resources designed for security awareness. This proactive behavior indicates strong engagement with security education and cultural reinforcement.

An observed identity submits IT help desk tickets when encountering blocked or restricted services. Such actions demonstrate compliance with escalation processes rather than circumventing controls.

An observed identity signs into SaaS applications using multi-factor authentication. This provides an additional safeguard against credential theft and strengthens identity assurance.

An observed identity downloads documents from cloud platforms not recognized or approved by IT. This introduces the risk of ingesting malicious content or bypassing enterprise data governance.

An observed identity primarily browses websites in categories approved as safe for business, such as industry news or research. This indicates lower browsing risk and alignment with corporate policy.

An observed identity limits usage of cloud collaboration tools to normal business hours. This reduces after-hours exposure and may indicate disciplined adherence to organizational policies.