Cybersecurity policy establishment and cybersecurity policy enforcement are usually executed independently in an organization.
Normally, policy authors are more knowledgeable to stipulate the rationale behind whether explicitly or implicitly why protection are required to secure the cyber space of the organization. Enforcement team simply follow the book to provide advisories or perform compliance check.
The world is not perfect and situation will drive decision if it is a policy exception or the inadequacy of policy for revision.
As cybersecurity practitioner, we must exercise our professional judgment to advise pragmatic approach in helping business for policy compliance rather than just a zero or one decision. After all, a “cyber court” in an organization is uncommon where the “cyber judge” will have the final ruling. Certain cybersecurity practitioners even have mal-practice to involve Senior Management for approval without taking up professional responsibility. Senior Management should be in the informed role rather than an approval role.