ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™Insider Threat Matrix™
  • ID: AF028.002
  • Created: 06th October 2025
  • Updated: 08th October 2025
  • Contributor: The ITM Team

Unauthorized Leave

The subject avoids investigative scrutiny by failing to report to work without formal authorization, also known as Absence Without Leave (AWOL). This may occur immediately after detection avoidance behaviors or in anticipation of policy enforcement. By going dark, the subject hinders interview scheduling and limits organizational recourse under standard HR workflows. This tactic may also serve to buy time for evidence destruction, off-site data transfer, or the coordination of third-party narratives.

Prevention

ID Name Description
PV071Conditional Contact During Leave

Establish policy and procedural authority to contact subjects under formal investigation during periods of authorized or unauthorized leave. This mechanism ensures that investigative continuity, containment actions, and required interviews can proceed despite absence from duty.

 

Prevention Measures

  • Amend internal HR and Acceptable Use Policies (AUPs) to include a clause permitting investigative contact with aliased subjects during leave, where the subject is materially involved in an active investigation.
  • Require that all leave requests undergo a check against the Alias Register prior to approval, with flagged cases routed to Legal and the Insider Threat Investigation Team for review.
  • Define conditions for permissible contact, such as limiting outreach to official communication channels and ensuring legal oversight for medical or protected leave scenarios.
  • Include escalation pathways for unreachable or non-compliant subjects, particularly in AWOL scenarios or when delays introduce operational risk.
  • Formalize the policy via the Acceptable Use Policy Advisory Panel (AUPAP) to ensure defensibility and alignment with employment law and organizational governance.