Kubernetes egress policies: default-deny vs allow-list for external APIs?

Running a multi-tenant cluster where workloads need to call various external APIs (payment gateways, SaaS, internal services). We're debating egress NetworkPolicies: default-deny with explicit allow-lists per namespace vs allowing broad CIDR ranges and relying on mTLS + API keys. The allow-list approach is more secure but creates a maintenance nightmare when teams add new integrations. What's worked in practice for teams with 20+ namespaces and frequent new external dependencies?