Risk acceptance. That's the actual end goal.
I.E., what level of risk is the business willing to accept? a MiTM appliance that pulls multiple duties (https proxy and content filtering AND security filtering), or an entirely open connection and a Infosec group that's ten times it's size to deal with the increased number of security incidents, massive productivity issues from over half the company looking at facebook/youtube/[insert time wasting site]/adult sites, and the over-utilization of the internet connection that also deals with little things like payment processing and our phone system.
My company chose the MiTM appliance. It's a pain in the butt to keep on top of it, there's a list of sites we've had to manually whitelist as long as my... well, it's pretty long, and there are interesting rendering issues with some sites due to the https proxy. (seems java does not play nicely with the internal CA we used to issue a subordinate issuer certificate to the appliance, which was by itself a pain in the butt to do.)
anon for reasons