...
Make sure you have a list of all the consumers onboarded in the system and are tracked.
Any New consumer which will be onboarded should be taken approval from higher authoritieswill have to go through a design review.
Make sure you analyze the risk of providing access to consumers and soley trust them with ACL’s you are attaching to them.
Never Give access to an APP app consumer for the SuperAdmin ACL.
Have your consumers are categorized as mentioned in this document.
You Must not provide access to SuperAdmin role to Any Consumer whether be it internal/Application. Only rare case we will be providing Access to Consumers with SuperAdmin roles, Access can be only provided after approval from a design review and with approval from atleast 2 higher authorities who are responsible for after discussions with the environment owner.
Make sure you perform an audit of all the consumers every release and remove unused consumers.
...