IAM best practices for managing service accounts in cloud environments?

We're struggling with service account management across AWS, Azure, and GCP. We have hundreds of service accounts with varying levels of permissions, and it's becoming a security and compliance nightmare. Current challenges: - Over-privileged service accounts - No centralized visibility - Difficult to audit and rotate credentials - Compliance requirements (SOC 2, PCI-DSS) What are the best practices for: 1. Service account provisioning and lifecycle management 2. Principle of least privilege implementation 3. Credential rotation strategies 4. Monitoring and alerting for service account activity 5. Tools and platforms that help manage this at scale?