I understand the concern, but it isn’t a huge issue in practice, at least not over the 10 years I’ve been working on this project.
(also bear in mind we auto-revoke staff access and require email revalidation for staff that are long absent, which patches most of this automatically IMO)