Practical security from intake to offboarding — MFA, least-privilege, and clean separation of duties.
MFA, unique credentials, least-privilege, periodic reviews.
Change windows for production, activity logs, and simple runbooks.
Preference for providers with SOC 2 / ISO 27001 attestations where available.