This control plane turns raw Google Cloud IAM snapshots into a buyer-readable drift surface: public bindings, privileged roles, org-policy mismatches, stale baselines, and the remediation packet needed before audits, launches, or partner access windows drift.
| Risk | Owner | Subject | Member | Message |
|---|---|---|---|---|
| high viewer-to-allusers |
Cloud Security Engineering | projects/prod-core-platform/buckets/marketing-atlas-exports roles/storage.objectViewer |
allUsers | Public viewer access is active on "projects/prod-core-platform/buckets/marketing-atlas-exports" via allUsers. |
| high editor-basic-role-grant |
Platform IAM | projects/prod-core-platform roles/editor |
group:ops-contractors@kineticgain.com | Basic role "roles/editor" is still granted on "projects/prod-core-platform". |
| high service-account-token-creator |
Identity Platform | folders/7091448821/serviceAccounts/finance-ingestor@prod-core-platform.iam.gserviceaccount.com roles/iam.serviceAccountTokenCreator |
serviceAccount:legacy-sync@partner-edge.iam.gserviceaccount.com | Token creator access on "folders/7091448821/serviceAccounts/finance-ingestor@prod-core-platform.iam.gserviceaccount.com" should be validated before production federation expands. |
| medium stale-snapshot |
Cloud Governance | folders/7091448821/buckets/finance-drop-zone |
— | Snapshot "finance-folder" is stale and can no longer be trusted as the live IAM baseline. |
| medium org-policy-guardrail-missing |
Cloud Governance | projects/prod-core-platform roles/editor |
group:ops-contractors@kineticgain.com | Binding drift on "projects/prod-core-platform" no longer matches the intended org-policy guardrail. |
| medium folder-inheritance-drift |
Cloud Governance | folders/7091448821/serviceAccounts/finance-ingestor@prod-core-platform.iam.gserviceaccount.com roles/iam.serviceAccountTokenCreator |
serviceAccount:legacy-sync@partner-edge.iam.gserviceaccount.com | Folder-level inheritance drift is changing effective access on "folders/7091448821/serviceAccounts/finance-ingestor@prod-core-platform.iam.gserviceaccount.com". |
| low stale-diff-window |
Cloud Governance | projects/prod-core-platform/buckets/marketing-atlas-exports roles/storage.objectViewer |
allUsers | Binding drift on "projects/prod-core-platform/buckets/marketing-atlas-exports" has remained unresolved for 42 hours. |
| low stale-diff-window |
Cloud Governance | folders/7091448821/serviceAccounts/finance-ingestor@prod-core-platform.iam.gserviceaccount.com roles/iam.serviceAccountTokenCreator |
serviceAccount:legacy-sync@partner-edge.iam.gserviceaccount.com | Binding drift on "folders/7091448821/serviceAccounts/finance-ingestor@prod-core-platform.iam.gserviceaccount.com" has remained unresolved for 31 hours. |