Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

GCP privileged permissions: what IAM teams need to watch


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Newly introduced and newly deniable privileged actions in Google Cloud Platform now span identity remapping, authentication changes, and backup controls, creating fresh paths to escalation, persistence, and data loss, according to Sonrai Security. The governance problem is not volume alone, but the way small permission shifts can outpace static entitlement reviews.

NHIMG editorial — based on content published by Sonrai Security: Oct Recap: New and Newly Deniable GCP Privileged Permissions

By the numbers:

Questions worth separating out

Q: How should security teams handle newly privileged cloud permissions in access reviews?

A: They should treat any permission that can change IAM policy, authentication records, certificates, or backup protections as a privileged control, not a routine operational right.

Q: Why do cloud permissions that affect identity policy create more risk than ordinary execution rights?

A: Because they can change who is trusted and what access paths exist, not just what work a service can perform.

Q: What breaks when backup configuration permissions are over-granted?

A: Recovery breaks first.

Practitioner guidance

  • Classify new permissions by control impact Review each newly surfaced cloud permission for whether it can alter IAM policy, authentication state, certificates, or backup protection.
  • Extend deny policies to high-risk administrative actions Use deny rules to block newly controllable privileges that can enable escalation, persistence, or recovery disruption.
  • Review identity remapping as a privileged governance event Treat identity mapping imports and similar control-plane changes as access model changes, not routine data updates.

What's in the full article

Sonrai Security's full blog post covers the operational detail this post intentionally leaves for the source:

  • Permission-by-permission breakdown of the new GCP actions and why each one matters for escalation or persistence
  • MITRE ATT&CK tactic mapping for each privilege so teams can align review priorities to threat behaviour
  • Service-specific guidance for Discovery Engine, Cloud Integrations, and Backup and DR permissions
  • Details on how newly deniable actions change the practical use of cloud policy controls

👉 Read Sonrai Security's analysis of newly privileged GCP permissions and cloud risk →

GCP privileged permissions: what IAM teams need to watch?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Cloud privilege drift is now a governance problem, not a service-management detail. When a platform adds new administrative actions faster than teams update entitlement models, least privilege becomes stale by default. The security issue is not that GCP is unusual, but that cloud control planes now evolve faster than many access review cycles can absorb. Practitioners need to treat permission expansion as an active governance event, not a periodic audit finding.

A few things that frame the scale:

  • 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments, according to the 2026 Infrastructure Identity Survey.
  • Static credential dependence is not just a hygiene issue. In the same survey, 69% of security leaders said identity management must fundamentally shift to address agentic AI systems.

A question worth separating out:

Q: Which governance framework is most relevant to cloud permission drift?

A: Zero Trust and least-privilege governance are the right starting points, because both assume access should be narrowly scoped and continuously verified. In cloud environments, those controls must extend to control-plane permissions, backup rights, and authentication changes, not just user-facing application access.

👉 Read our full editorial: GCP privileged permissions are widening cloud identity risk



   
ReplyQuote
Share: