Also, seriously, what kind of chucklefuck puts the boundary at "clicking on the phish"
It's 2024. Browser one-click system hijacks aren't a thing anymore now that there's an actual fucking security model in the major OSs now - and ain't anyone using zero-days on commercial customers anyway.
Your vuln surface is "putting the credentials in" and that's been covered for -years- now by, holy shit, MFA and credential managers.
This is not difficult. All of the issues around phishing are -extremely- solvable on the systems architecture and administration end; if phishing -matters- to your org then your org is set up wrong.
And yes, wrong. There is clearly a right way to do this.
@robryk
SOC2 and ISO 27001 evaluate for the controls necessary for this.
This requires a system of policies and technical measures to address, and that is something I do professionally.