Zero Trust Isn't a Product — It's What Happens When You Actually Review IAM

Most GCP organizations I assess have a zero trust problem they don't know about. They've configured VPC Service Controls. They've enabled BeyondCorp. They've checked the "zero trust" boxes on their security roadmap. But when I export their IAM bindings to BigQuery and run a simple query, I find service accounts with roles/editor granted two years ago that have never been reviewed.

Zero trust without IAM hygiene is security theater. The perimeter controls are there, but inside the perimeter, every service account has the keys to the kingdom.

The Problem Nobody Wants to Own

Least privilege is the goal. Everyone agrees on this. The problem is that nobody achieves it manually across a GCP org with dozens of projects and hundreds of service accounts.

Here's the pattern I see repeatedly in mid-market SaaS companies:

• Initial platform setup happens fast — engineers grant roles/owner to service accounts because it works and they're under deadline pressure
• Security reviews happen quarterly (if at all) and focus on project-level IAM, missing org-wide patterns
• Nobody has a clear owner for IAM hygiene, so recommendations pile up indefinitely
• SOC 2 auditors ask for evidence of periodic access reviews, and the team scrambles to produce manual spreadsheets

The fundamental issue isn't technical capability. GCP gives you everything you need to operationalize least privilege. The issue is that IAM governance requires a workflow, an owner, and a system of record. Most organizations have none of these.

IAM Recommender Exists — But Nobody Uses It Properly

IAM Recommender is one of the most underutilized tools in GCP. It automatically surfaces over-privileged bindings — roles granted that haven't been used in 90 days. It's doing the analysis work that would take a human weeks to do manually.

But here's what I've seen: teams enable IAM Recommender, look at the recommendations once, feel overwhelmed by the volume, and never act on them.

The recommendations pile up. Nothing changes. The audit comes around, and the team is in the same position they were in a year ago.

The missing piece is the analysis layer. IAM Recommender gives you individual recommendations per principal per resource. That's useful for tactical fixes, but it doesn't give you the strategic view. You can't see patterns across your org. You can't prioritize by risk. You can't track remediation progress over time.

This is where BigQuery changes the game.

Operationalizing Zero Trust with BigQuery

Exporting IAM Recommender data to BigQuery lets you run org-wide analysis at scale. Instead of reviewing recommendations one by one in the console, you can query your entire IAM posture programmatically.

Start with Cloud Asset Inventory to export IAM bindings:

gcloud asset export \
  --organization=ORG_ID \
  --billing-project=PROJECT_ID \
  --asset-types="iam.googleapis.com/ServiceAccount" \
  --output-bigquery-table projects/PROJECT/datasets/DATASET/tables/iam_export

Then query for the highest-risk patterns — service accounts with roles/editor or roles/owner:

SELECT
  resource.name,
  iam_policy.bindings.role,
  iam_policy.bindings.members
FROM `project.dataset.iam_export`
WHERE iam_policy.bindings.role IN ('roles/editor','roles/owner')

In one SaaS company I worked with, this query revealed 47 service accounts with roles/editor at the project level. Fifteen of those service accounts had additional roles — some with 15+ unused permissions going back two years. The platform team had no idea.

For recommendations specifically, use the Recommender API:

gcloud recommender recommendations list \
  --recommender=google.iam.policy.Recommender \
  --location=global

You can also integrate IAM Recommender findings with Security Command Center. Recommendations surface as findings with the google.iam.policy.Insight finding type. Route these to your ticketing system, and you've got an automated workflow that didn't exist before.

What Changes When You Have the Data

Once you have IAM analysis in BigQuery, several things become possible:

Risk prioritization. Not all over-privileged bindings are equal. A service account with roles/owner on your production data project is more urgent than one with roles/editor on a sandbox project. BigQuery lets you join IAM data with resource metadata to prioritize by blast radius.

Remediation tracking. Run the same query weekly. Track the count of high-risk bindings over time. Show the trend line to auditors. This is the evidence of continuous improvement that SOC 2 controls require.

Ownership visibility. BigQuery analysis often reveals that nobody knows who created certain service accounts or why they exist. This visibility forces the conversation about IAM ownership that most orgs avoid.

The Lifecycle Operations stage of the SCALE Framework is where most teams fall short. They have security controls in place, but no ongoing governance process. BigQuery + IAM Recommender gives you the operational layer that makes governance sustainable.

Trade-Offs You Need to Understand

This approach isn't without complexity.

90-day usage window limitations. IAM Recommender looks at the last 90 days of activity. If you have seasonal workloads or jobs that run quarterly, they'll get flagged as unused. Review recommendations before auto-remediating. I've seen teams accidentally revoke permissions from their disaster recovery service accounts because those accounts only get used during DR tests.

Custom role maintenance burden. The proper remediation for over-privileged bindings is often a custom role scoped to actual API usage. But custom roles require maintenance. When GCP releases new APIs, custom roles don't automatically get new permissions. Someone has to own the role lifecycle, or you'll break workloads when GCP updates services.

Point-in-time exports. A single BigQuery export gives you a snapshot. For continuous monitoring, set up scheduled exports via Cloud Asset Inventory feeds. This adds infrastructure to maintain, but it's the only way to make IAM governance truly continuous.

The Question You Need to Answer

Zero trust is an architecture principle, not a product you buy. IAM Recommender gives you the data. BigQuery gives you the analysis layer. The tools exist.

What's missing in most organizations is the remediation workflow and ownership. If nobody owns IAM hygiene, the recommendations pile up and nothing changes. You'll have all the visibility in the world and no improvement to show for it.

The question isn't whether to implement this pattern. The question is: who in your organization owns IAM governance, and what happens when they find 200 over-privileged service accounts?

What's the oldest unused role binding you've found in your GCP org? I've seen some that predate the company's SOC 2 certification by years.

Amit Malhotra, Principal GCP Architect, Buoyant Cloud Inc

Work with a GCP specialist — book a free discovery call

Work with a GCP specialist — book a free discovery call → https://buoyantcloudtech.com