To improve their Cloud agility, companies must permit to developers to experiment and innovate quickly and safely. What happens if our developers needed the IAM privileges to permit a Lambda function to read/write data on a DynamoDB or S3 bucket? How we can delegate to our developers the responsibility for app-specific IAM resources without compromising security and compliance requirement? How can our organization define a proper IAM strategy? To answer these question we must implement a strong identity foundation leveraging the principle of least privilege and enforcing separation of duties. Last but not least the organization must start to treat our security baseline like a product delivering it using CI/CD automation and adopting the policy-as-code capability.