Using an IPS to identify users accessing information inconsistent with their role in the organization is better than doing nothing, I guess, by why did those credentials access network shares or databases the intended user wasn't supposed to access in the first place?

If their detection system is useful at all, then the principle of least privilege is definitely not being followed.