You have to define adversary objectives then separate those from normal behavior. Again, you haven’t solved the problem raised in the thread. How are you, a highly paid cyber security professional, going to prevent social engineering from allowing privilege escalation and negative outcomes ranging from fraudulent invoices to knowledgeable, intentional use of applications following expected behavior?