To keep with the house analogy, not using IAM is like building your own locks for your house.

It might be enough for now, but if you grow big enough to be a target it's very likely your home-spun lock won't stand up to professionals.

To use the house analogy, it's more like a shed vs a mansion. How many doors are there? How many different keys are there for them, and is there a master key? If you have a shed, there's only going to be one key, for the door. Maaaaaybe a key for the safe inside. If it's an exorbitant mansion with three kitchens and two garages, there's a key for the front door, a key for your bedroom, a key for the safe room, a key to the wine cellar, a key to the garage, a key to the IT closet, a key to the office, a key to the... you get the point.

If it's only ever going to be a shed, there's no need for the infrastructure to support that many keys.

I think it's figuring out where to put them or installing them yourself vs building the locks.

Most things have accounts (database, servers). Are you using separate ones or a global admin?

Thanks, that makes sense. What does IAM offer that a stand-alone service like Keybase doesn’t? At what scale of project does it make sense to use one over another?

How do you secure AWS credentials on a compromised machine?

Any solution that you build is going to be more complicated and less secure than IAM. In IAM, your workload/server can have an identity. The software running on the server is issued temporary credentials as needed, and only has access to resources linked to the role. How do you do this without identity and access management? Roll your own because IAM is too crazy?