Zero Trust Requires IAM Hygiene, Not Just Products

Zero Trust Isn't a Product — It's What Happens When You Actually Review IAM Most GCP organizations I assess have a zero trust problem they don't know about. They've configured VPC Service Controls. They've enabled BeyondCorp. They've checked the "zero trust" boxes on their security roadmap. But when I export their IAM bindings to BigQuery and run a simple query, I find service accounts with roles/editor granted two years ago that have never been reviewed. Zero trust without IAM hygiene is security theater. The perimeter controls are there, but inside the perimeter, every service account has the keys to the kingdom. The Problem Nobody Wants to Own Least privilege is the goal. Everyone agrees on this. The problem is that nobody achieves it manually across a GCP org with dozens of projects and hundreds of service accounts. Here's the pattern I see repeatedly in mid-market SaaS companies: Initial platform setup happens fast — engineers grant roles/owner to service accounts because it works