Beyond IAM: Implementing a Zero-Trust Data Plane With Service Account Identity Federation in GCP

Why IAM Alone Is No Longer Sufficient for Cloud Security Organizations now process and move data differently because of modern, cloud-native platforms. Workloads such as Spark jobs, Kafka streams, Snowflake queries, and ML pipelines run continuously in short-lived environments. IAM systems are still important, but they were primarily built to secure the control plane and determine who can log in, manage resources, and set policies. IAM was not designed to control what running workloads can do. Security models have shifted from perimeter-based defenses to zero trust . Relying on network location or long-lived credentials is now seen as risky. Today, the data plane, where jobs interact with data, is the primary target of attacks. Data-plane identities often use static service account keys, OAuth tokens, or shared secrets. These are usually long-lasting, have too many permissions, are hard to rotate, and are reused in many places, which increases risk if they are stolen.