It would be beneficial to track any ReportResource/DeleteResource calls down to a specific source client via either metrics or logging to help us uncover where requests are coming from. This would be useful to determine what SP is generating a lot of errors in our API or even through our replication processes. It would also help us validate any sync issues between resource counts if we can confirm whether outside processes are creating resources with kessel and not the actual service provider

Metrics would be easier to query but may lead to too many cardinalities in metrics and create memory issues. 
Capturing client_id's in logs would allow us to query them in Cloudwatch as an alternative

Done Criteria

• Spike/POC some options to address the goal of detecting the source client of a request and create any follow up work to implement
• Focus should be on using OIDC auth information, capturing client id when auth is disabled is out of scope