Debate: How do you configure an optimal and scalable ASM policy structure?

I don't know that you can definitively answer this question, but I'll answer it anyway. In theory you would put a negative security policy in place and then you would add all the objects you expect to find to a whitelist, effectively giving the ASM a map of your application.

As you correctly note, most people don't understand their web application well enough to tell you what should be there, and what should not. The negative security policies generate a lot of false positives if they aren't very carefully applied, and as a result the web admins decide the WAF either doesn't work or doesn't work well.

Advanced WAF is intended to address these use cases. If you either don't have Advanced WAF, or can't move to it, and you don't have a comprehensive overview of your web application, applying a negative security policy and spending the time to disable attack signatures that generate false positives in your environment is not a bad way to go. If you have white list features you are comfortable with they will certainly help. Without Advanced WAF it really is a balancing act between maintenance and functional security, with reduced maintenance meaning reduced security, and more security requiring more maintenance.