Comment by athrowaway3z

  9.  Get management to give you the authority to force users to rotate their AWS access keys which are 8 years old.

Saying "keys which are 8 years old" implies you're worried about the keys themselves, which is just wrong. (Their security state depends on monitoring)

You can definitely make a strong argument that the organization needs practice rotating, so I would advise reframing it as an org-survivability-planning challenge and not a key-security issue.