Bug fixes

• The AWS > Turbot > IAM > Group > Managed control incorrectly flagged existing members of service-specific IAM groups (for example, stepfunctions_admin, secretsmanager_admin, and cloudwatch_operator) for removal, because the control could not match those members against their existing Guardrails grants. Existing group members are now recognized correctly and are no longer reported as unauthorized.
• The AWS > Turbot > IAM > Managed > Provision Managed Resources action generated invalid ARNs containing undefined in place of the account ID (for example, arn:aws:iam::undefined:policy/turbot/...) and created duplicate "ghost" entries in CMDB alongside the real IAM policies, roles, users, and groups it provisioned. This affected workspaces whose account metadata had been populated by earlier discovery runs. ARNs are now generated with the correct account ID, and duplicate CMDB entries are no longer created.