Least privilege, logging, traceability.
Retention and access boundaries that match your risk posture.
Policies, approvals, human-in-the-loop where it matters.
Documentation and change control support.
Risk review checklist and evidence collection.