[dasil003]

You're overly focused on individual behavior of ex-employees, and overestimating the amount of thought the C Suite is putting into the matter.

The risk does not come primarily from disgruntled employees doing bad things—there's already a huge legal deterrent to that since they know exactly who you are. The bigger risk is what can happen when credentials are stolen by actual criminals. This is context dependent, but scales with the number of employees times the number of accounts, the latter of which has trended up dramatically as cheap B2B SaaS has proliferated.

What happens when a laptop is lost? What happens if a DB is hacked and users had reused passwords? How do we know who even has access to what when teams self-administer access control? These start to become real security problems at relatively modest scale even if we assume every employee is a saint.

Even leaving security aside, the management of accounts starts to become a significant pain point in the low hundreds of employees and so it will typically be the IT team that pushes for SSO first well before compliance comes into the picture.