Disabling script signing on dev machines and requiring signatures on production scripts sounds like perfectly reasonable behavior to me. I know a lot of people are scared of pki but it’s way easier than people think. Signing things is a one liner, I keep certs on a portable HSM and it’s really low friction.
You can still turn off the script signing requirement without running a script (right?). Presumably this will be logged to the Windows Event Log, so there should be a mechanism that watches logs for this and alerts someone to investigate.
