In an AD + SAML federated identity scenario, users may log into the AWS console through the same high-privilege IAM Role. If you only want to restrict a subset of those users from using Session Manager or EC2 Instance Connect to log into instances, you can use the aws:userid condition key to create an explicit Deny.