Making sure outside attackers don’t hack the Federal Bureau of Investigation is obviously one of the law enforcement agency’s top priorities. But equally important is ensuring that disgruntled employees or spies don’t sneak off with sensitive data.
FBI chief security officer Arlette Hart described the work involved in preventing so-called insider threats during an appearance on Tuesday at the Structure Security conference in San Francisco.
Hart said that the problem of insider threats is as “old as the hills” and that every organization, from big businesses to the National Security Agency, has to deal with the possibility. The NSA, of course, is still reeling from the high-profile leaks from the spy agency’s surveillance program by whistleblower Edward Snowden.
The FBI stepped up monitoring its employees around February 2001 after an FBI agent named Robert Hanssen was discovered to be secretly working as a Russian spy, she said. Prior to that, the FBI “didn’t have a real serious focus on insider threats,” Hart said.
An incident a few years later involving FBI agent Leandro Aragoncillo, who was spying for the Philippines, was another wake-up call for the agency, which then started to take a hard look at how its workers were accessing work apps and data.
Hart didn’t explain the specific ways and technologies the FBI uses to track workers, but said that all employees must consent to being monitored by the law enforcement agency. She said that unlike many businesses, employees are not allowed to bring their own smartphones and related devices to work, which presumably makes it harder for people to sneak sensitive information onto their devices or put data at risk if those devices are lost or stolen.
Get Data Sheet, Fortune’s technology newsletter.
She said the FBI has a system that it started in 2009 in which people can report suspicious behaviors. Although organizations like Amazon (AMZN) have similar reporting systems, the FBI does not allow employees to anonymously report bad activity.
“We don’t want anonymous reporting,” Hart said. Anonymous reporting “tends to turn into people throwing rocks at people,” she said.
Although artificial intelligence techniques like machine learning can crunch vast quantities of data and can help determine if someone is behaving oddly in an organization’s computer networks, people shouldn’t put all their trust in the technology, Hart said.
For more about cybersecurity, watch:
A.I. systems can only help find evidence of malicious activity, and it’s up to people to actually prove that someone is indeed up to no good.
“You don’t want to rely only on technology,” Hart said.