An operations team has a standard that states IAM policies should not be applied directly to users. Some new team members have not been following this standard....

An operations team has a standard that states IAM policies should not be applied directly to users. Some new team members have not been following this standard. The operations manager needs a way to easily identify the users with attached policies.
What should a solutions architect do to accomplish this?