[paranoidrobot]

As the de-facto Security team - the main concern for me isn't so much "lock everyone out immediately" aspect, it's the reduction in the number of sets of credentials for people. It is a benefit in the onboarding/offboarding process, too - it's one less thing you need to go in and manually turn off accounts.

People suck at remembering passwords, and even if you go and give them Password Manager tools like 1Password/Lastpass/whatever, they'll still tend to re-use the same password they use for their personal email, and that random service that recently got pwned.

It's worse when they have credentials like AWS IAM Keys that are while not difficult, are inconvenient to rotate. Those are likely to just sit around on someone's machine and get leaked inadvertently in logs or test code.