Third-party cloud apps and security - what controls do you need?

Hi everyone!
I'm a researcher in the Atlassian ecosystem and marketplace. That means that I work with third-party apps and customizations you build in-house.
We are currently investigating the security needs of our customers who intend to migrate to the cloud while using third-party apps (or in-house customizations). We want to know what security controls you would need to feel comfortable using apps in the cloud. To help us create the right solution for you, we are curious:

What rule(s) would you set to control how your apps access data?

What rule(s) would you define to keep your data secure?

Be as creative as you need; there are no limitations. For example, you might want to set a rule around what actions an app can take, where it can perform those actions, or what types of apps should be restricted. A structure to help you:

As a [your role or another admin's role] I would like apps to [action] so that [result]. 

For example:
As a systems administrator, I would like for apps only to access some projects to ensure my projects with sensitive data are protected in the cloud. 

We would love to hear the 3-5 rules you would define in this thread   

Keen to share more? We're currently running one-to-one sessions with people to explore their ecosystem of tools; if you would like to participate, we'd love to hear from you! Find a time in my calendar by following this link:
https://calendly.com/cmccurrie/third-party-cloud-security