IAM mistakes easily touch prod, laptop games don’t.

You can get fired for HR reasons through a pattern of misbehavior. That misbehavior needs to be safely within legal territory such that a wrongful termination suit can't occur (to really generalize).

Prod example:

A not inconceivable pattern of misbehavior could be repeatedly causing prod events simply because the IAM allows the user to touch prod, because the user has an overly permissive IAM policy. Policies like that are very, very common in the wild, and almost equally at small or large companies (but for different reasons).

This could be hedged by an AUP or prod access policies, but then what wins out... the company might have an internal prod-access policy in place, but the laws, per this change, clearly state that if the IAM allows them to do it, it's not illegal to do so solely based on that reason. So, HR loses legal precedent to support their firing, which isn't an area HR loves being in I think.

You can generalize prod events to over-permissive IAM causing any number of moronic environment problems by a single user, but if they're only doing it because the IAM allows it and the user doesn't know any better, this legal change means it's not illegal (at least under the CFAA).

Yes, I have been working in regulated industries for a while in devops and security roles.

> So, HR loses legal precedent to support their firing, which isn't an area HR loves being in I think.

I think this is the crux of it, frankly. People can be fired for arbitrary reasons, including violation of company policy, even if that policy is not backed by force of law. If you perform unauthorized access of customer info willfully and that is in violation of policy, why does HR need the force of law? If you were a key holder and repeatedly left the door unlocked at close despite previous warning, while not violating the law you should likely be let go.