I was talking with someone recently who rolled out whole-disk encryption to meet a compliance need. Someone told them they needed to encrypt, so they encrypted.
They do, of course, automatically log in users so they don’t have to enter their passwords. I asked, “Isn’t password authentication, never mind strong authentication, also a compliance requirement?”
“Oh yeah, it is. They all get passwords, they just don’t have to type them in themselves. Someone went down the list for compliance and checked all the boxes, but if you open a PC and turn it on it boots right up and you don’t have to log in. There wasn’t a checkbox for that.”
Classic. Simply classic.