Service accounts were the safest way for automation scripts to authenticate because you could apply CA policies to limit use to specific IPs or devices. But now you can buy Workload Identity licences and protect app registrations with CA policies too. Time to switch.