"Ooops, that's my bad. Nothing that I documented was what I said it was. You're right to be frustrated by this. I promise I won't mess this up next time."
Make things obvious by tying to core company values or how certain aspects might be against them. If you have security teams that take their job seriously, they can help draft policy. There are ways to approach this properly and still CYA.
Don’t forget, it’s the CEO’s job to choose whether or not to have you steer towards the iceberg. If he chooses to drive hard and fast right into it, maybe it was meant to be.
You just described my life back when Slackware OG was alpha in 1993, but on a 386 PC. 31 years later I never used my EE degree but traveled through all sorts of aspects of IT and IS.