@SecurityWriter The hardest thing about infosec is promises and expectations mean nothing unless you commit to them and verify them. And that process can be inconvenient, but it's less inconvenient than getting your architecture owned because you had a good plan and then ignored it.

I think there's an analogy here to SLA maintenance. Google purposefully brings down internal systems periodically that exceed their SLA so that they can confirm that catastrophic impact doesn't result if people assume that a 5-9s SLA means "always up." This has resulted in a couple of vacations postponed and in at least one incident I'm aware of some moderate disruption to business as usual as people had to sort out an unexpected cascade failure.

But these outcomes are still considered preferable because without this testing, the cascade failure can happen in a time you don't expect it.