There always seems to be a considerable gap between policy development and execution.
This often stems from a delineation between the org that develops versus audits said policies.
Beyond administrative controls, many companies are now deploying security solutions (e.g., DLP, CASB, EMM/MDM, MAM, IAM/IDM, DMARC/SPF, ATP) w/ policy engines. To implement either admin and/or technical safeguards and not validate their utilization is a noticeable risk.