Employees shouldn't have default access to those credentials. This applies to audit/backup/account management/billing privileges. You can have very dedicated roles with lots of restrictions for those specific things.
If the organisation doesn't use SSO coupled with MFA and the enforcement of the least amount of privileges principle on a cloud platform, then they have no right to complain about security breaches.