High level service accounts (Folders,  projects and Org level)

should be few  SAs. No keys allowed. The AD groups (containing human users) should be defined for these with all the members in the AD group. Human Users should be granted the ServiceAccountUser role and that's it ( not Service Account Token creator)

Resource Level service accounts

Can be many. Keys allowed. Service account Impersonation may be allowed.