The way we solved that is we put our data into either EpiGrid or Box, where we can log access and we can get alerts. We can see if the user has accessed a thousand files today. Is there any reason why that guy needed a thousand files? Probably not. He's probably getting ready to walk out the door, so you might want to go and ask him, why were you downloading a thousand files' worth of data, or 2000 files? Once I moved stuff to Box or Office 365, all of my users were potential security risks for me, just like the guy who doesn't work for us.
At this point, i think that direct manager have to tell what permission must have this employee for short term