This control plane turns raw Google Cloud IAM snapshots into a buyer-readable drift surface: public bindings, privileged roles, org-policy mismatches, stale baselines, and the remediation packet needed before audits, launches, or partner access windows drift.
| Lane | Owner | Focus | Status | Findings | Next action |
|---|---|---|---|---|---|
| Public binding lane Public GCS bucket bindings are still the fastest way to turn a policy diff into a real incident. |
Cloud Security Engineering | Anonymous and broad viewer bindings | red | 1 | Remove public viewer grants before calling storage posture governed. |
| Basic role lane Editor drift usually means emergency changes that never got normalized. |
Platform IAM | Project-level editor role cleanup | red | 1 | Replace basic roles with scoped custom or product-aligned roles. |
| Service account trust lane Token creator drift should stay visible before it compounds into federation risk. |
Identity Platform | Cross-environment token creation and workload identity hygiene | yellow | 1 | Revalidate token creator grants before the next partner sync window. |
| Snapshot hygiene lane Drift logic is only trustworthy when the baseline is current. |
Cloud Governance | Stale snapshots and inheritance drift | yellow | 4 | Refresh folder and org snapshots so policy diffs map to the current baseline. |