The 700k groups also comes about when the security tools are all inter-operating at the wrong abstraction level. If a third party appliance needs to import all 700k of your security groups it means the appliance is performing authorizations itself, logging it differently than your other apps, and even make decisions based on stale data it's cached (you can't load all 700k groups on every request.)

This task should really be delegated to a dedicated authz system, too bad more of the world doesn't run on Zanzibar.