Knowledge Challenge

An enterprise buys a 'Zero Trust' ZTNA product and rolls it out for remote employees in 6 months. They keep the corporate VPN for in-office staff and don't change identity, device, or microsegmentation. Two years later, an attacker compromises a developer laptop in the office and exfiltrates data from production. What's the most likely root cause?