SOC 2 CC6.1 logical access: how do you prove least-privilege enforcement across ephemeral K8s workloads?

SOC 2 Common Criteria CC6.1 requires logical access security. In traditional infra, this is straightforward — IAM policies, role assignments, periodic access reviews. But with ephemeral Kubernetes workloads (pods that live for minutes, service accounts that rotate, SPIFFE/SPIRE identity issuance), the audit trail becomes fragmented. How are engineering teams demonstrating least-privilege to SOC 2 auditors in container-native environments? Specifically: - Do you snapshot RBAC state at audit time, or maintain a continuous compliance dashboard? - How do you handle namespace-level service account permissions that change multiple times per day? - What evidence format do auditors actually accept for ephemeral infrastructure?