> a former interim IT manager still had an email client connected via token authentication - with access to all messages. And that person had signed the original contract with the provider years before. Informally questioned, he admitted contacting them "to warn them" but claimed it was harmless.

This kind of behavior rubs me the wrong way. People leaking stuff, breaking compliance and then say - It was just harmless.

I work with a Director who has done something similar multiple times. The chain of events often is - She attends an industry conferences, there she learns about a piece of software, she goes ahead and schedules product demos and solicits a contract. She then contacts the only outsourcing agency she is aware of and promises to give them the implementation contract. Then reaches out as she doesn't have the authority to sign those contracts.

Since the time I have been responsible for product selection this has happened twice. Both times I have been under different managers. Both managers have insisted it was harmless.

Last time this happened the Director was told by promising work and soliciting contracts she was in gross non compliance of the company policies. Her response showed how little she cared. As per her, this was an internal matter and no one could punish her.

Later when we evaluated the product and it promised to "get better with time". All the company's data was being ingested into an AI without regard for enterprise data security rules. Even then her response was - What is the big deal? Everyone reads everyone's data. Legal got involved and shut it down - they asked the product to turn off AI features for our instances.

It is really hard to contend against a malicious or dumb team mate. In a corporate setting if they are higher than you then it is even more difficult. They can chalk it up to a harmless mistake and no one can do a thing.