I have thought about this from time to time. I imagine the implementation would not be much different in principle than a honeypot.

Give them an account and password that is routed to a honeypot. They get what they think is legit documentation, and this gives you time to track the breach and act upon that breach.

How frequently would this be needed - probably rare at the most frequent.