I imagine that the mission parameters were that he take a check and remove money from the account.
It would also make sense that this is the CEO's account, or one he also controls, because he's in on the test and can give informed consent. Also, probably the CEO doesn't have any special access so breaking into his identity wouldn't impact the bank the way breaking into the IT manager's account might.
If this was a fake account (one with no real user) then they wouldn't have discovered this flaw because Mitnick couldn't have called the user. Having a real person be exploitable is essential to proper discovery of the full scope of the problems.