Still punishing after-the-fact is no substitution. If the reward is greater than the punishment then it renders the policy moot.
If i publish my crypto wallet private keys and enact a policy that anyone who tries to take the wallet contents will be beaten to death, and get everyone to agree to this policy, then it would be rendered moot when the person who steals the wallet uses it to hire personal body guards.
I don't disagree, with this. The use of policies with enforcement is that it raises the risk to the employee so that raises the amount someone must spend to get them to take that risk.
If i publish my crypto wallet private keys and enact a policy that anyone who tries to take the wallet contents will be beaten to death, and get everyone to agree to this policy, then it would be rendered moot when the person who steals the wallet uses it to hire personal body guards.