You've got it. I have an NDR I mirror packets to and it picked up the connection. I think the guy hit a Tor IP before connecting with NordVPN, but I do remember seeing the connection to Tor that sparked the alert, followed by the traffic to Nord. Either one of those things would have triggered an investigation into the user.
Forwarded that to my security team and washed my hands of it. Wish I knew why users pull stuff like that on company resources. If they just did it at home, I wouldn't care!
I'm a systems admin. Last week, I had an employee using a VPN to try and hide their traffic. My monitoring software caught it. I couldn't see the traffic, but I could see it connected to a known Tor IP. My system saw the fishy connection and sent the alert. Just be careful and don't assume you're completely safe with the VPN.
It's best to assume your IT department can see everything you do, and keep personal stuff on personal devices.