As a business (as opposed to a Company of One, like yours truly) your strategic advantage comes from codifying repeated workflows into proper processes. This leads to desirable side effects, one of them being the saved time, money and effort in doing things the Proper Way you’ve always done it.
What I’ve noticed is that many companies go to great lengths to codify complex interactions, but . . . end up either overthinking things, making the process more complicated than necessary; or the very opposite: forgetting to codify things, and then forgetting to execute.
Two examples that I’ve noticed in recent years:
It’s probably a good idea to immediately revoke access and offboard a contractor whose invoice you have no desire to pay. American firms are very good at this. Privately held European corporations, especially the larger firms, also. Some startups as well, when the founders have at least one security-person on the board. Otherwise, it’s like watching a slow-moving train wreck: Imagine being subjected to an external audit, the auditor seeing an unpaid invoice, and write access (or worse) to the core parts of the infrastructure. ;-)
It’s probably a good idea not to overthink new processes for corporate open-source platforms you’ve never used. This is something that you’ll work out in time, typically within the first two years after setting up new infrastructure. People change, platforms do in subtle ways, and you’d want to make sure your documentation remains easily adaptable. Preferably on the leaner side.
With some creativity, these two very opposite cases are easily solvable. There might be a middle ground between the two extremes - pure laissez-faire, and pure top-down design - and you might be able to find it in due course.