This seems misguided. If you are taking principle-of-least-privilege seriously (and it seems that's what people are trying to do with very sophisticated authz systems) then legitimate users will bounce off the edges of their privileges very frequently. If they can't figure out what those edges are or how to expand the frontier when necessary, they're not going to be able to accomplish necessary tasks.
A policy of "stay the hell away, don't even ask" only works if you're drawing the boundary very far from the user's legitimate sphere of influence.
Dunno, just reporting what I understood to be. It may be a distinction can be made between company-internal and company-external attempts at access, but that is pretty risky.
Any solution to the valid point you have made would have to be organisational.
But the saying goes something like "security annoying, good security is very annoying" - anyone know the original?
A policy of "stay the hell away, don't even ask" only works if you're drawing the boundary very far from the user's legitimate sphere of influence.