Over time, roles and responsibilities change, and with these changes, the required permissions are also changed. Ensure that the users within the groups that you have configured are still applicable to that group. If they are not, remove the user. Also, ensure you have a policy of how to remove credential information for when a user no longer requires any access at all.

An additional risk with loose policy permissions is that if the credentials were to be compromised then the malicious user would have a far greater potential to cause disruption and gain access to data that otherwise would have not been possible had the correct permissions sets on the policy.