If you have a corporate laptop of ours I can log into the security dashboard and see the 15th command you issued in the terminal on December 12th, which processes it spawned, which files it accessed, which servers it reached out to... and this is with standard AV software. We're not even set up for worker monitoring (nor do we have interest, our mandate is on the security side not the HR side) but I could probably piece together a decently solid idea if he was pulling up outside messages or pulling in completed work from an outside system even without such additional worker monitoring tools.