Very true. However, when creating security policy, one should always keep in mind those that have permission to access information, rather than those that have actual access to information.
It's a nightmare to me that there could be 15 people that have actual access to information, but a random official in the chain of command could give any one of 1.4 million people access to it without any further vetting.
it still requires stakeholders delegating access to said individuals for different [sub]compartments.