1 - some employees do not read policies (despite some really explicit training during onboarding) and disable the password so they don't have to type it during login;
2 - apple software is hot shit and somehow filevault disabled itself on an employee laptop. I'm 100% sure that it was previously enabled. It required multiple support calls, an OS reinstall, and a full machine wipe performed at an apple store to get it re-enabled, so I believe the employee who says he didn't disable it.
Either way, I had to install an mdm to make sure that there always is a password on the machine, a lockout time, and filevault enabled. That mdm, unfortunately, gives me far more control than I want, but there's nothing I can do about that; it's a package deal. I'd prefer not to install them, but one idiot disabling passwords, even after very specific training, because it's inconvenient to type them ruined it for everyone.
And the answer roughly comes down to (1) it trained me out of trusting, even in a small shop; and (2) now that I know these things happen, I have to protect against them. If I abuse what the mdm gives me, I expect my employees to fire me. ie quit.