Permission as a function of responsibility

Responsibilities are a function of a person's role in the team.

If someone is responsible for doing something, then they should have access to the systems they need to accomplish their task.

You can grant permissions based on responsibilities, or you can grant them ad hoc. Granting permissions ad hoc is called an exception.

The more exceptions, the more manual work. Which means more chances for mistakes.

You need exceptions, because your design is never perfect. Edge cases happen every day. But you don't want to hire security staff to handle exceptions all day.

The more you systematize access management, the less you have to spend on access control operations.