We had a member join our cyber defence team approximately a year ago. This role is not a red-team role nor does it involve regular penetration testing. We have just recently discovered that this individual has been running unapproved phishing simulations to various users throughout our organization including various high ranking officials and executives. The results of these tests aren’t documented anywhere nor can we confirm what information, if any, was captured as part of these ‘experiments’. My immediate recommendation was to term given the individuals tenure at the organization however I am getting pushback indicating that perhaps this was a communication or training issue. Has anyone experienced this? Am I crazy with my recommendation here?