Is there an option to disable private key export by a non-admin user?

The main purpose for us using the PGP technology is to protect sensitive files sent to us from being stolen in transfer and/or in storage.

However, if someone (say, a fired employee) exports the private key and knows the passphrase (because he/she was authorized to receive and decrypt files), he/she can decrypt the files at home easily.

Changing the passphrase doesn’t help, because the exported private key used the passphrase that was active at the moment of export, and will still decrypt new files - am I right?

Therefore, limiting the option for the user to export a private key would be a good idea. Can it be done?

Kind regards

Two approaches come to my mind immedeately:
a) Change the private certificate each time your group changes.
b) Use a hardware crypto token, e.g. a smartcard and control access to it.