Security's hardest question isn't "who can do what" but "who can do what they shouldn't?" Manually reading IAM policies line-by-line for external exposure is impossible. S3 bucket policy, KMS key policy, IAM role trust policy intertwining make "is this bucket open to outside?" unanswerable by human eyes alone. Policy combination permutations explode.
IAM Access Analyzer's essence: mathematically proving this question. Not executing policies observing results (can't try all cases), but converting policies to logic formulae asking "does input allowing external access exist?" using formal logic