There is security monitoring on organisational credentials appearing in (publicized) data-breaches.
If there are indications of compromise of passwords, or risks that the credentials of individuals are compromised, passwords will be forcibly changed and the users informed.
Specification
Services such as "Have i been pwned" can be used to monitor for the appearance of organisational accounts in breaches.
Losing a device on which ongoing sessions may be active should also qualify as cause for password rotation.
ISO 27001 & 27002:2022
A5.25,
A5.35,
A5.36,
A8.8,
A8.15,
A8.16,
A8.19,
A8.29,
A8.34
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.04 Logging
SM.05 Security testing surveillance and monitoring