How to scope down a policy?

I’m trying to scope down the permissions of a non-trivial policy that’s used by a CI/CD pipeline (to roll out and configure auth methods).

So far my approach has been trial and error, which is tedious and time consuming.

I was wondering if there are alternative approaches.

E.g. I could run the pipeline in a nonprod env with wider permissions - is there a way to get the list of permissions it actually requested and use that as minimialized policy for prod?

I started extracting this information from the audit logs.