A control isn't a control until you've watched it fail closed.
Static analysis tells you what the policy says. Penetration tests tell you what an attacker found last quarter. Neither tells you whether the OAuth flow rejected an expired token at 14:02 today. APIContext runs the positive and negative scenarios continuously — so the moment a control fails open, you know.