Good IT security is different than what you describe. You are describing give up the house and hope you can get it back again with probabilistic scanners security. It makes your security team look important because they are incapable of their job.
The OWASP auth cheat sheet discusses many of the options for making that phishing of a password useless instead of reacting to its use.. Separate IDPs with weak mfa, fido, etc. And of course if one isn't doing small-time bland business one should consider more complete computing silos for many things, signed email or separate double ratchet oriented messengers, etc.
