Imagine, you drop IAM and revive the good old user/password system.

You have no way to see "who can/cannot get to this thing". Yet who could argue that user/password are "complicated" ?

NB: using IAM access/secret key has indeed the same issue