Good for you. Over-enforcement absolutely needs to be penalized. One of my biggest weaknesses is refusing to let people get away with the kind of lazy thinking you encountered.

Hands up if you’ve ever been told you can’t do something because of potential SOC2 audit non-compliance. Or it’s against GDPR. Or legal won’t allow it. Or it’s against IT security policy. Or just against “policy”.