How do you design and enforce a least-privilege IAM model for a microservice that syncs sensitive user emails at Superhuman?