> I think industry overreaction to the regs is possibly as large or larger of a problem than the regs themselves.

I see this over and over again in regulated industries like banking and healthcare. No one wants to risk tripping up the regulations so company lawyers write up crazy and often conflicting “requirements” to satisfy legislation. The limitations placed by company council are often far more restrictive than regulations actually require. You have lawyers dictating engineering or software design requirements based off of a shoddy understanding of other lawyers attempts to regulate said industries they also don’t really understand.

And this isn’t to say that engineers are somehow better at this than lawyers. Engineers make just as many of these sorts of mistakes when developing things via a game of telephone. As someone who has played the architect role at many companies, it’s not enough to set a standard. You have to evangelize the standard and demonstrate why it works to get buy in from the various teams. You have to work with those teams to help them through the hurdles. Especially if you’re dealing with new paradigms. I don’t know to what degree this happens for other industry standards. But it seems like mostly folks are left to figure it out themselves and risk getting fined or worse if they misinterpreted something along the way.

I’d like to believe there is a way to balance lenience for companies that are genuinely trying to adhere to regulations but miss the mark at places and severely cracking down on companies that routinely operate in grey areas as a matter of course. But humans suck. And lenience given is just more grey areas for the fuck heads to play in. We cannot have nice things.