I would appreciate your "best practice" responses to the question, "Is it overkill to wipe a machine after successful phishing attempt?"
To properly answer that question, one would need details on the phishing attempt, including: -
How was this detected, and deemed as successful?
What is the potential impact?
What kind of security controls do you have in place?
What will be the business impact of wiping the system?
Incident response usually depends on the scenario --- varying with impact, organisation policies, regulatory authority requirements, etc. --- so a 'best practice' approach should be used when setting up controls instead.
(In my opinion, wiping is overkill if you're utilizing images, dealing with end-user systems, aren't protecting sensitive data, and have proper controls in place --- in which case completely isolating a system from the rest of your network should suffice, since you may need it for investigations.)