Infrequent activities ?
Some jobs are only done infrequently (once per quarter or once per year or on an ad-hoc request). For an automated system to detect abnormal access but not give false alerts on infrequent valid access will be very difficult if not impossible.
Also the case of worker 1 being unavailable for some reason and worker 2 having to take his/her place on a temporary basis will cause a big change in the access patterns for worker 2.
There is also the question of who does the automated system report to - if the bad actor is the one who receives the reports then the system becomes useless.