You get these things all the time. You make a policy so you can move the needle in some direction, like saving money for instance, and you forget to look at the easily-seen consequences.
The classic example of this is password policies. You can have nice strong passwords or you can have weak passwords that you change often. Whenever you force someone to change their password too often, you inevitable get weak passwords that tend to be algorithmic in nature.
You can do other things too… like when requesting access to some expensive resource you can make it easy or hard. If you make it easy and never audit you wind up with waste as people abuse the resources. If you make it too hard to acquire resources you wind up with people hoarding them because if they were to get rid of them it’s hard to get back when you need it again. EC2 machines, for instance.
The right thing is nearly always in the middle… the key is to think through the policies that you’re rolling out to see how the policies will affect behavior — and more importantly, that it moves things in the way you’re intending it to move.