AWS IAM + Federation access controls

One of my customer has below use case and looking for some guidance and resolution. I have found this document however i am not completely sure if this gonna help their use case. [+] https://docs.aws.amazon.com/singlesignon/latest/userguide/provision-automatically.html#auto-provisioning-considerations

Goal: I am writing a new EA standard for cloud authentication to provide guidance to our Ops team on how to manage cloud access and permissions that goes a little deeper than the principal of least privilege.

Assume an example company using AWS, Azure, and GCP. We use Ping to federate to AD groups that map to AWS SGs. Hypothetically, a company could do this and have too few SGs thus causing mappings that are not least privilege but rather roles like Admin, Power User, Developer. In such a hypothetical case, if a project level, Admin role SG user decided one of her peers who already has federated access to the account, needed admin as well, she might just use the portal to add the Admin SG or even just modify the SG they currently in adding additional permissions.

In such an example situation, given few operational resources, what would be the best practice for controlling access without creating hundreds of new AD groups and SGs?

I think the answer is to automate it to be policy as code with robust reporting and anomaly detection but want to see if there is any other option?

I mention GCP and Azure because the solution desired would hopefully not require 3 times the effort due to its uniqueness.

I am looking at the IAM docs now but if you know of a document that shows a pattern that covers all three cloud vendors incorporating Ping it might be helpful.