I’d add drift detection on everything IAM / SCP / Org to this list too.

A session token with only a few minutes validity can be enough for someone to make their access permanent.