Employees bypass systems that keep them from doing their job. The usual IT security posture considers them as unreliable and weak. Would a fully opposite approach based on trust by default, only informing staff about risk and requiring them to take explicit responsibility for the data they share improve the security of the enterprise?