Many large companies suffer from the concept of shadow IT. The use of software and services that aren’t blessed by the company to accomplish tasks that are blessed. As someone in security at a large company, I expect this is a matter of not every company has people who follows rules. I know I’ve seen and know, even within security orgs, plenty of people who don’t follow the rules because a few bad rules makes them feel that other important rules are also bad. It’s pretty simple to bypass the software companies use to “enforce” the rules