This is unfortunately unavoidable for any system like IAM. All of them evolve into monstrosity because of so many conflicting requirements. Most importantly being simple and tractable on one end and being able to express any imaginable predicate on another.

And god help you if you want to use one of their many competing data engineering tools, all of which will be duct taped onto Glue and require not just IAM but also another layer of RBAC on top of IAM. Like you said with IAM, I think it just slowly evolved into the mess it is today, but it's rough. Trying to just run a simple Spark query using an S3 Table Bucket was enough to remind me why Snowflake and Databricks are printing money by making it a more user friendly experience.