I'm dropping this.

It used to be, and people still believe, that IP addresses are classified as A-E (https://study-ccna.com/classes-of-ip-addresses/). However, this has not been the case since the 1990s. ARIN has been supplying IP addresses with much tighter CIDR-ranges to try and preserve space, not supplying based on the original class structure.
So the only way to find what network an IP address is on is to query against ARIN using a whois query - which is against their terms and conditions, and a performance cost.

Then, if a machine is jumping IP addresses in a network, why not across different networks for the same provider (as providers may have many)? So we'd check the "NetName" of the IP address matches rather than the subnet matches.

But if we do that, we definitely lower security.

And anyway, someone may jump different providers entirely, if jumping between wifi and cellular (for example).

The current situation is fine I think. It either checks all 4 IPv4 address components, the first 3, or it doesn't check the IP at all. The admin can decide what security they want.
And if the IP check doesn't match, they aren't logged out - they get cookie login and just need to reconfirm their session to get protected zone access back.