For security policies to be followed, they must be known and enforced wherever possible and reasonable. If your users can’t follow your policies due to business process conflicts, or you can’t enforce the rules due to a lack of technology or another shortcoming you’re unwilling to mitigate, then you’re probably better off not having them at all.
