You are responsible for an internal REST API that serves customer account data to several backend services. The API is currently protected by static API keys passed over HTTPS, and those keys are shared across multiple workloads. A recent review found that one key was copied into a debug log and may have been exposed. You need to tighten access without breaking service-to-service traffic.
How would you redesign the authentication and authorization flow for these API calls so that only approved workloads can access the data? What would you do to detect, contain, and recover from a suspected key leak or service compromise?