A compliance programme can die by being too ambitious.

Yes. We talk a lot about commoditization and how "the market" takes SOC 2 or ISO 27001 to mindless compliance checks.

Now, I've seen the other extreme:

• Always adding policies
• Always starting new projects
• Always purchasing new tools

Of course, all with only one person in charge of the management system.

Sometimes, an initiative that "looks promising" can mess up with the system more than anything else.

Proportionate compliance and adequation between "what we do" and "available resources" shall be more valued (vs burying yourself under work that can't be done).

Ironically, it's exactly what ISO 27001 is about.