Status: IN
IAM's multiple authorization evaluation paths (identity-based, resource-based, session, boundary) each have unique bypass mechanisms — resource policies bypass boundaries via user ARNs, PassRole bypasses CloudTrail visibility, and cross-account requires dual explicit controls — making single-path hardening insufficient.