If anyone uses Azure AKS and wants to give more granular permissions to their deployments, Azure Workload Identity might help:
https://discourse.prefect.io/t/use-aks-workload-identity/3354. And if anyone has experience with customizing work pools, there is room for a little improvement. Azure workload identity hooks into the kubernetes concept of service accounts, and is fairly elegant.