With the transition away from profiles to permission sets, auditing your security model is more important than ever.
Principle of Least Privilege
Users should have the bare minimum access required to do their jobs. Use Permission Set Groups to manage access efficiently.
Health Check
Run the native Salesforce Health Check baseline regularly to identify vulnerabilities in session settings and password policies.