One thing I’m particularly curious about — how people handle false positives in login anomaly detection without overwhelming users or security teams.