You are correct. But it doesn’t work if it is not a SAP/ACCM, or code word project. The IC is very liberal when a new user sets up their account;, their manager only has to specify (in a very general nature) all the filters allowing them access.
And here is the thing: managers don’t grant access on what their employees are working on currently— they fill it out based on what they potentially will work on. Because no one wants to do more paperwork.
It comes down to laziness, and the counterintelligence folks do not conduct review on what an employee has access to— and what they are actually working on. I have never seen a manager being chastised for employees having access beyond their scope of work.
The interesting detail not yet revealed is: What was this kid’s job, and why did he need access?
No wonder our national security services leak like a sieve.