I spoke with an administrator last week who is responsible for enforcing her governance policy. When anyone asks her to create a one-off profile, her standard response is that unless it falls into their existing segmentation (by region and then by business unit), she requires an SVP approval to create it. In other words, unless the request falls into her established governance policy that all parties in IT and the business have agreed to, the one-off profile won't be created.
This kind of response is not surprising considering how easy it is for profiles to proliferate based on these type of ad-hoc requests. And once a profile is created and assigned to an active user, subsequent updates require the admin to continue to maintain these one-off profiles.
As a result, many admins I've spoken with have created a governance policy to control the number of profiles they need to maintain. It should be a policy that all stakeholders including the business agrees to since it's possible that multiple administrators in different segments of the business will need to create one off profiles. As a result, it takes guidelines, discipline, and auditability, to ensure that the policy isn't violated.
For example, you may have any number of page layouts for an object. Your governance rule specifies that profiles will only be created for region. As a result, you have your own Account page layouts for European and North American sales reps but not for English and French sales reps which would be a more granular distinction than what the policy allows for.
Advantages to a governance policy for creating profiles
Maintenance is manageable for a large implementation
Provides an advanced level of flexibility while maintaining a level of simplicity
Provides the ability to increase flexibility at a later date
Scalable for future phases
Ways to create this granularity may include by:
1. Business Unit
6. Line of Business
7. Product Line
8. Product Portfolio
9. Cost Center
It's good to limit the number of levels of granularity. For instance, first by business unit and then by region. You may have a profile called Corporate Sales - Europe and another called Field Sales - Europe but it may not be beneficial to create a third level such as Corporate Sales - Europe - Financial Services unless absolutely necessary.
By setting the configuration granularity, there may still be exceptions. And in the case of exceptions, it helps having an agreed to approval process (which may even be automated using custom objects and workflow approvals in the app). Having an established governance policy merely provides guidance to the analysts and architects in their planning and when additional approvals, such as in the case of exceptions, are necessary there is an established process to obtain that approval.