Congratulations, you have Active Directory, 27 different systems with complicated group and role permissions. Or even better, maybe you’ve got some of that logic written directly into your application…more than once!
And now you’ve got your regulatory compliance auditor asking for reports about who can access that piece of data from last quarter! And your development director turns to your devops lead and says “When did we deploy that code patch?”
Moreover, how well do you know all those new hires? How can you be sure no one’s snooping around in the sensitive accounting data?