In my brush with a similar issue, the intrusion detection system flagged Tor traffic as potential malicious traffic. The IDS can't tell if this is malware calling back to a command and control node via Tor.
We allow developers to install their own software, so there isn't a good way to enforce browser policies. We ended up letting the developers know that connections to Tor generate alerts, and that these tie up security resources. That was enough that we haven't seen the issue again.
In our case the developer was using Brave and had opened the private window with Tor. That gave us a plausible explanation that didn't include malware, so we closed the ticket.
I'd say that there are very few legitimate reasons a Tor connection would come from a corporate network. So we'd like to keep the alert on, but any false positives tie up resources. Developers sometimes accidentally install malware, so we need to be vigilant about detecting and remediating that.
Tor enables content that work can't monitor or block. And it's associated with child porn, dark web drug networks, sex trafficking, and similar. In reality, it's a small part of Tor. In the media, that's all it's used for.
This needs to be compared to clearnet for it to paint an accurate picture, which has reached 64% recently[1]. Though this figure comes from summing "good bots" with "bad bots", Cloudflare seems to have done the same ("automated requests", "content scraping").
The initial post mentions FUD and top-level management, so it's possible management associate Tor with dark net drug dealing, CP, and assinations and so on. Non-tech people aren't likely to have heard of Tor in any other context.
I've never used Onionshare, but it would allow untraceable file transfers bidirectionally through any (permitting) corporate firewall, and keybridging/mitm cert rewrites could not see into the session.
Every company I've worked for has had DLP, firewalls, and content filtering in place, and circumventing those is a violation of acceptable use policies, and thus grounds for termination... so it seems pretty cut and dry to me.
We allow developers to install their own software, so there isn't a good way to enforce browser policies. We ended up letting the developers know that connections to Tor generate alerts, and that these tie up security resources. That was enough that we haven't seen the issue again.
In our case the developer was using Brave and had opened the private window with Tor. That gave us a plausible explanation that didn't include malware, so we closed the ticket.
I'd say that there are very few legitimate reasons a Tor connection would come from a corporate network. So we'd like to keep the alert on, but any false positives tie up resources. Developers sometimes accidentally install malware, so we need to be vigilant about detecting and remediating that.