In many cases, a person can be written up for an ‘infraction’ which may not need to be reported outside the company. Where I work, if you get more than a certain number of infractions in a given period of time, then it must be reported.
Things like leaving a classified container unsecured, leaving classified material out unsecured, leaving a classified workstation unattended. violating some security policy related to a secure system, these things could be written up as an infraction, or possibly have to be reported to the customer.
Many years ago I heard of a guy in the military who intentionally left a safe open so somebody else could access their security file or something stupid like that. It was reported, the individual lost his clearance. That’s the only incident that comes to mind where something absolutely had to be reported up the chain.