the classic corporate strategy: ban the thing everyone’s already using and call it ‘risk management’. your compliance policy isn’t a force field, it’s just a PDF nobody reads
Completely agree. Banning something outright rarely works; it just pushes usage out of sight.
The point I was trying to make is that governance has to show up in how work actually gets done. Otherwise you end up with compliance on paper and risk in practice.