Disclosed embodiments relate to systems and methods for automatically and transparently detecting potential compromises or unauthorized use of endpoint computing devices. Techniques include engaging, at a security server, in an agentless management session with an application running on an endpoint computing device; controlling, at the security server and through the agentless management session, a user-facing session of the application; receiving, at the security server, an indication of anomalous activity or loss of a proximity between at least one of: the one or more personal computing devices associated with the user and the endpoint computing device, or the one or more personal computing devices associated with the user and the user; and implementing a control action in the agentless management session, based on the received indication.