Before you consider removing a user from remedial procedures you need to validate that a technical error in your data actually occurred or more than likely occurred. Resist the urge to comply with all of these statements. Doing so will create a culture of complaints and negligence, knowing they can simply fall back on complaining - a nasty stain on security culture.
Build a dispute form
Often, forwarding users which protest their “click” status to a formal dispute form will be deterred to proceed in the event they are trying to pull a fast one. The presence of this from alone shows formality which suggests an actual investigation will occur, which may deter a large volume of challenges. Additionally, this form serves as an excellent reporting and liability paper trail in the event repeat offenses occur showing due diligence and care.
Act on the form
Provide complainants proof from your platform of the time/date of the click with matching IP address and device used as well as email template used to trigger the click. Often the maturity of data alone is enough to thwart liars, but more importantly, for those who may have simply forgot, the timestamp and template image will help jog their memory.
Run a live test
If the user in question still insists a click did not occur, offer to deliver the template in question to them live, while they share their screen. Have them open the email as they normally would without clicking the engaging elements. If no “click” is reported, they more than likely either accidentally clicked or forgot they did so. Neither of which should excuse them from remedial policy.
Rest assured that this process is respectful
While some problematically stubborn employees may not be satisfied with any level of proof that the data is accurate, the largest volume of employees will respect this process, assuming you build it out well and implement with confidence.