MFA isn't solely about "the user had poor security posture and can't be trusted". It's about what happens even if the user's info is leaked by a information breach of a service. I.e. "having the login info for the service isn't enough, the user must be notified and approve of the login via a separate factor".

That's why MFA is referred to as defense-in-depth rather than being a better password.

1. Even if they trust you, they might not be willing to extend that trust to non-technical staff (or even non-infra staff) and having a global policy is the easiest. 2. Even if they trust you, your employer's customers definitely don't, and a lot of big contracts will have security exhibits that explicitly require MFA if you're handling their data.

They _don't_ trust you to do that stuff. Not unilaterally at least. In a healthy system you generally aren't able to change anything without sign off from multiple other people.

Also the argument they make is, they don't trust every single component of your machine, and want to mitigate the damage caused by an attacker or malware breaking in and impersonating you.

If I have a group of N people who I individually don't trust not to use mike1234 as a password, I wouldn't trust them as a collective either - at least until N gets impractically large.

So no need for code reviews then since all humans are fallible!

Nah, it's not lack of trust, it's just compliance and plausible deniability.