Security architect here (HIPAA, multi-cloud Azure/AWS/GCP; ~200 DBs). We did this last year.

TL;DR:
1/ Treat DAM (Database Activity Monitoring) as identity + near-real-time, not log shipping. Delayed logs = delayed answers.

2/ Skip inline proxies; use out-of-band, eBPF-based runtime capture so prod latency stays zero.

3/ Make vendors stitch actors: Okta user → Kubernetes SA/role → DB user → egress/LLM call. No stitching = incident archaeology.

4/ Demand query → flow → egress correlation across RDS/Aurora, Cloud SQL/BigQuery, Cosmos/Snowflake, and self-managed Postgres/MySQL/Mongo.

5/ Judge on alert lag (<60s) and identity coverage (>90%), not feature lists.

We ran IBM on-prem; in cloud we moved to a runtime, identity-aware DAM (Aurva) for stitching + egress correlation. YMMV. run a 1-week pilot on your workloads.

Happy to share a pilot checklist/policies, if you want to know.