top of page
Search

People-First Purview (Strategy): Insider Risk Management

  • Writer: E.C. Scherer
    E.C. Scherer
  • Jan 13
  • 4 min read

Insider Risk Management (IRM) is one of those topics that makes people uncomfortable fast. When it comes up, most organizations go one of three directions:

  1. They assume it means they don’t trust their people.

  2. They picture some kind of internal surveillance program.

  3. Or they say, “We don’t have anything worth stealing.”


None of those are risk conversations. They’re fear, optics, or denial.

Insider risk isn’t about catching bad employees. It’s about recognizing when normal access and real pressure line up in a way that can cause harm.

If you build IRM like a surveillance program, people will treat security like an enemy. If you assume there’s nothing worth protecting, you’re just hoping you never get proven wrong.


Two-column graphic titled “Insider Risk is NOT” and “Insider Risk IS.” The left column lists surveillance, distrust, and a magic bullet. The right column lists context over time, deviations from baseline, and proportional response. A caption below states that insider risk focuses on patterns and context, not watching people or assuming intent.

Behavior isn’t the signal

This is the part that trips people up.

Behavior, by itself, doesn’t matter. Deviations from baseline do.

Working late isn’t risk. Logging in at odd hours isn’t automatically risk. People have kids. People have deadlines. People have lives.


What matters is whether someone is still operating inside their normal pattern.

Same locations. Same systems. Same workflows. Same expectations the next day.


Insider risk shows up when access, activity, and outcome stop lining up over time or when a single event is severe enough that it clearly breaks expectation.


Patterns matter. Single moments need corroboration.


Screenshot of a Microsoft Purview Insider Risk Management alert view. The left panel lists multiple alerts related to access and email exfiltration involving sensitive SharePoint files. The right panel shows a user activity scatter plot over time, highlighting risk scores, triggering events, and cumulative activity leading up to an exfiltration sequence.

That corroboration might come from time, from other signals, or from the sensitivity of what was touched. The point isn’t to ignore one-offs. It’s to avoid treating every unusual action as intent.


Why humans complicate insider risk management

In my everyday life, I try to assume best intent.


In security, I’ve been trained to be professionally suspicious. I do not always get the luxury of slowing down and thinking things through. I do not want to assume someone or something is malicious. I also do not have the luxury of waiting for perfect information before acting.


This is exactly where insider risk becomes difficult and where good systems matter. They do not replace judgment or remove accountability. They help resolve that tension by adding context quickly. Baselines. Corroboration. Signal correlation. Enough information to act with confidence instead of guessing.


Humans still make the call. They just do not have to make it blind.


Mandatory Brain Break

Close-up photograph of an adult snapping turtle resting on the forest floor, with its head raised and eyes open. The turtle appears calm and stationary, surrounded by leaves and small plants.
Snapping turtles look dangerous in isolation. With context, they are just doing normal turtle things. That distinction matters more than we think.
Photograph of an adult snapping turtle walking slowly across a wooded area. The turtle’s shell and legs are visible from behind, with no defensive posture or aggressive behavior shown.

Proportional response is not a setting

This is where people go looking for a magic button. There isn't one.


You cannot configure your way into proportional response. This is not about detection. It is about what happens after an Insider Risk alert fires.


When an alert shows up, someone has to decide what happens next. Does it stay with security for monitoring? Does it escalate to HR? Or does it get documented and closed?


Diagram showing multiple paths for responding to an Insider Risk alert. Each path begins with an alert, followed by a security review, and ends with different outcomes including close and document, monitor, escalate to HR, escalate to Legal, or joint review. The graphic emphasizes that alerts can lead to different responses based on context and policy.

Those decisions do not belong to the tool. They belong in policy. Written down. Agreed to ahead of time. Practiced before the first real alert lands.


If you are figuring this out in the moment, all you are doing is collecting evidence and hoping someone else decides how much it matters.


Maturity comes first

You've got your security policies in hand, you're ready to get started but...


Your endpoints are messy, identity is loose, data is not classified, and applications are not well understood.


You do not actually know what signals you have or which one-off events should immediately matter. You end up configuring Insider Risk reactively, one gap at a time, instead of making intentional decisions about thresholds and escalation.

IRM does not create maturity. It depends on it.

It should be guided by your broader security program and your governance program together. If those are not aligned yet, no amount of configuration will fix that.


This post is part of a series

Insider Risk is not where people should start.


This post builds on earlier work in the People-First Purview series, where intent and moment-based controls come first:

  • People-First Labeling in Purview Sensitivity labels are how organizations define what actually matters. This post covers intent, clarity, and why classification needs to come before enforcement.

  • People-First Purview: DLP Without Breaking Trust DLP works best when it intervenes at the right moment, without making users feel trapped or policed. This post focuses on pause-and-think controls, proportional friction, and keeping people in the loop.


Labels define intent. DLP handles moments. Insider Risk looks for patterns over time.


If you skip ahead, everything downstream gets harder to defend.


Where this goes next

This post is about how to think about Insider Risk without turning it into surveillance, paranoia, or a magic bullet.


The next post will be technical. Architecture. Signals. Thresholds. How to design Insider Risk so both patterns and high-impact moments are handled intentionally.


If this one felt uncomfortable in places, good. That usually means you are thinking about the right problems first.


 

Next in the technical series: People-First Purview (Technical): Insider Risk as Signal, Not Surveillance


Comments

©2026 by E.C. Scherer

bottom of page