Use the dirty-net next time the non-meta ASN for doing pentesting. Every company should route non-essential traffic out alternate circuits to keep their employee IP addresses and behavior out of logs that point back to their employer. This does not preclude scrubbing the traffic with ones DLP, MitM proxies, etc... Its just another route. Keep YT and porn off the corporate circuits. Maybe even go so far as to have multiple SNAT pools for different categories of non-work related content. Make the dirty-net the default routes and only route meta-destine networks over the corporate specific networks.

I set up something like this ages ago in a company that was acquired by a company run by a literal mobster. I had a 1U server with two interfaces that routed my coworkers out a path that bypassed the mob monitored devices. To the uppers it just appeared my coworkers were really dedicated and not wasting time on Youtube, LinkedIn, Facebook, etc...