It is a bit frustrating when you want to do risk based approach but then it is much more work to explain it to people who don’t know better but they want a checkbox or read on the internet “that’s proper way of doing things”.

Another example is password complexity rules, we try to use latest recommendations with no forcing of PW change, no requirements beside length - but then there will be customer that will make fuss that we don’t have it as as it is compliance check box to have complex PW.