Strategy 2
Operations can encode business intent: approve invoice, view payroll, delete record.
Every new endpoint, report, export, or agent tool must remember to repeat the policy.