In the scenario OP described, there likely wouldn't be many/any IDS/IPS alerts if done properly. Those systems aren't going to identify the attack since it will have occurred prior to the systems arriving at the facility. Yes, it will probably be obvious if all these systems start sending spam as fast as they can. On the other hand, what if they only send an occasional email or make a sporadic HTTPS connection that sends logged key strokes or other information that's been harvested from the system?
Now, if you're denying all outbound except mail from the mail server and web access from the proxy server, you could potentially notice this in the firewall logs. However, this is likely one of those things that's obvious if you're looking for it, but in reality, it would be closer to finding a needle in a haystack. What if ICMP or DNS is used as a transport instead? There are many scenarios where a slow, subtle attack such as this would be extremely difficult to identify, especially on a busy network.
Maybe you guys have had much better experiences than I have, but I know something like this would go completely undetected for a long period of time at many organizations, regardless of their size. There are certainly ways something like this could be combated effectively, but I think you're making some risky assumptions when it comes to how well organizations will actually be able to do that.
The day you stop learning is the day you start becoming obsolete.