Unblocking change requests

If a change request contains security concerns, my instinct is to block them. I don't want to set a precedent, or build bad habits.

You can block change requests until they get approved. Or you can let changes through and catch any error in operations. If your strategy requires you to go fast, you might need to do the latter.

It's like taking a loan. You don't have the time capital right now because you're still getting your business off the ground. You accept to pay some interest in accumulated risk.

It could be very risky.

But doing business is risky. And there might be morale cost to slowing down development with long debates.

If a change request introduces changes you disagree with, you can still approve it. Approve it under the condition that an objection gets logged.

The important part is reviewing them.

Have a way to make sure that objections get reviewed. Sometimes you will need to revert changes. Sometimes you will have a good reasons to create a new policy. But often you'll realize that it was no big deal.