This isn't an individual issue, this is an organizational systemic issue. It isn't on the individual to "do better" or not make mistakes. Even if they had made a PAT, there should be an org level policy that PAT tokens can only last x-days where x is very short (as an example, PAT tokens should be banned).