The problem is that that work seems essentially unlimited (you can invent crazier and crazier possibilities that you need to check for), and doesn't seem to be something that we do so much for physical intrusions which nevertheless have the same features (you can find keys, take copies of keys, even change locks or cut make false walls / doors).

Your infrastructure should aim to be robust against people persisting themselves (in this case, something that allows an employee to persist themselves beyond the validity of their credentials is a serious problem whether the hacker does it or not). Where it is not, that's your failing. Charging the hacker for finding out where your infrastructure is failing is perverse since if anything their attack made it easier to spot a failing. If they did persist themeselves, then obviously the cost to fix that belongs on the hacker, but the cost to identify such things is something you should be doing anyway.