IAM isn't easy, but I don't think there is any way to build such a powerful system without at least having the possibility for it to become ultra-complex.
The challenge then becomes taming the complexity while still being "secure enough", i.e. as secure as possible without hindering your business purpose. This is where I take issue with many security specialists in the cloud ecosystem - every single one I have encountered has been good for nothing more than rattling off the best practices (which I already knew). The difficult part of security is understanding the trade-offs you are making, and assessing the risk - but the security people never seem to be intellectually equipped to help with that, only to dole out checklists.
It's a real problem. AWS IAM permissions are not human manageable anymore. The only way to get decent permissioning done is via an IaC abstraction layer that can generate them for you based on declared needs. AWS CDK does a pretty decent job here at making it so you can just say `myTable.grantRead(myLambda)`. A lot of the higher level constructs take care of transitive permissions that are needed. Even then, there are cases where you need to make sure you don't just do `myBucket.grantRead(thing)` but also `myEncryptionKey.grantDecrypt(thing)`.
Doing fine-grained permissions correctly is hard.