Managing multi-tenant Kubernetes RBAC at scale without role explosion

Our cluster went from 12 to 47 namespaces after a reorg, and RBAC is becoming unmaintainable. We started with per-namespace RoleBindings but now have 200+ custom ClusterRoles because every team needs slightly different permissions on ConfigMaps, Secrets, and deployments. Two patterns we're evaluating: 1. Aggregator Roles — define 5-6 broad role archetypes (viewer, editor, operator, admin, auditor) and compose them via RoleBinding per namespace. 2. OPA/Gatekeeper admission — enforce policy boundaries dynamically instead of pre-defining every role. Has anyone actually run option 1 in production past 50 namespaces? Where does the composition start to break down? And for option 2 — what's the performance hit on admission latency?