How do you balance the friction between implementing strict security controls and maintaining developer velocity?