Unfortunately, it seems that the reverse is true, a pound of IA documentation per ounce of real security. To be fair, to manage security, through a risk management function, certain processes must be ruthlessly followed. One function that comes to mind is access control and in particular, a process to remove accounts or access from individuals who no longer require it. Not all organizations have a process or procedure in place to conduct periodic reviews of accounts or have semi-automatic functions to deactivate accounts. It doesn’t take a pound of paper to create a basic account review process, nor does a recurring calendar reminder to ensure the review take place… probably not even an ounce of paper.