How do you implement least-privilege IAM policies in a multi-tenant AWS environment without disrupting developer velocity?