Step 1: Baseline What's Actually Used
Before tightening anything, turn on IAM Access Analyzer for unused access findings. Let it observe for 90 days. The output tells you which permissions are dead weight versus which are load-bearing.
Step 2: Tighten in Detection Mode First
Use Service Control Policies (SCPs) at the org level with Effect: Deny wrapped in aws:CalledVia conditions to test impact in dry-run before hard enforcement.