They don't need to take a corporate device with them. They need to have exfiltrated a credential during the (long) time they had alone with the laptop. You trust new employees' phones the way you decided to trust anything else: a risk assessment based on what the company is willing to bear, taking into account compensating controls like MDM.

Are you suggesting "no creds that live outside of trusted elements physically tied to a device we own" is an ubiquitous property of access management?

> no creds that live outside of trusted elements physically tied to a device we own.

I’ve never worked full time at a software company that allowed credentials on employee personal devices. Supposedly because most consumers are up to their eyes in malware, often from the moment they buy the devices, not because the employees are untrustworthy (it would be difficult to have a functioning business where you can’t trust the employees.)

I’m currently typing on a personal mobile device that is trusted by my software employer

You don't appear to have engaged with my core point: policy is not access control.