Doesn't even require that many people. The analysis can mostly be automated, and the request process can be handled via peer review. Having one or two people for every 100-200 developers who can give sensible advice, provide some general oversight of what's going on, and step in to say 'no' occasionally does help though.

Also means you can put an end to a popular antipattern that has grown in recent years: letting your production infrastructure talk to whatever it likes to download whatever it likes from the Internet.