[capguy255]

Having used the comm compliance tool in m365 and other similar tech - a lot of the comments here seem to miss the point. "Leaver" IT policies are fairly common security practices to limit the risk that someone takes IP or customer lists with them to another job. The point is not to detect whether someone is going to quit but rather to detect unapproved behaviors by someone as they are on the way out the door. There are various compliance tools in Office 365 designed for data retention, eDiscovery, and investigation and this is an offshoot of that. It is more efficient and less obtrusive to target suspect behaviors than to have an analyst or attorney download and review all of an employee's communication and activity.

As I've seen communication compliance used, the leaver policy is enabled when a person is marked within an HR system as leaving the company, or when their Active Directory account is disabled. If certain sequences of activity occur such as downloading lots of files from SharePoint and they are copied to a USB drive or to an external file share, or if a file previously owned by the leaving employee is accessed after the AD account is disabled by an external user, it fires off an alert.

I'm skeptical about the value of the use of a "classifier" given that there isn't much documentation that explains how it works, how it's trained, and any documented workflow to statistically validate the model. Instead of using "classifiers" you can create custom policies based around keywords, regex patterns, or targeting sequences such as download x # of files then copy then delete. I think it would be interesting if you could build a custom classifier using your own positive and negative examples, define your own score thresholds, train models around specific excerpts rather than on entire emails, and test the classifier using a set of human reviewed data.

Regardless though - I'm far less suspicious of the general idea that companies are focused on "inside threats" than whether they understand how things work. Machine learning algorithms are basically just fancy text searching backed by statistical analysis but there are a lot of input variables and also a few different ways to defensibly measure the performance of the tools. The M365 tool doesn't expose much of that and a lot of compliance teams are probably going to be concerned about wasting time chasing false positives.