...
Make sure you have a list of all the consumers onboarded in the system and are tracked.
Any New consumer which will be onboarded will have to go through a design review.
Make sure you analyze the risk of providing access to consumers and soley trust them with ACL’s you are attaching to them.
Never Give access to an APP for the SuperAdmin ACL
Have your consumers are categorized as mentioned in this document.
You Must not provide access to SuperAdmin role to Any Consumer whether be it internal/Application. Only rare case we will be providing Access to Consumers with SuperAdmin roles, approval from a design review and with approval from atleast 2 higher authorities who are responsible for after discussions with the environment owner.
Make sure you perform an audit of all the consumers every release and remove unused consumers.
...