AvatarMatt Gilbert

I don’t think the whitelist is required. I think knowing which accounts are used for what is the key. If you can demonstrate that you know what all accounts are there for and there is a business justification for those accounts, I view that as the spirit of the practice. If an account is used to connect or is “hard coded” or otherwise part of an automated process, I will want to understand what the reason for that is and how to ensure the account is only used for that purpose.