Identity and Access Management (IAM)
Unified security and governance for users and agents
Reimagine security with Google Cloud IAM, the unified foundation for governing both human and AI agent access at scale.
Read the quick walkthrough to begin IAM role setup in the console
Features
Centralized identity across agents, users, and workloads
Consolidate identity for your entire ecosystem: Enable your workforce to securely sign in using SSO and MFA with Google Cloud Identity or syncless Workforce Identity Federation with your own identity provider. Provide first-class cryptographic identities unique to your agents and applications allowing them to securely authenticate both as themselves and on behalf of the end user.
Gemini-powered roles and Policy Intelligence
Simplify setup with Gemini for intelligent optimization. Eliminate guesswork by using the Gemini Role Picker to generate least-privilege roles from natural language. Use the broader Policy Intelligence suite to see what your users and agents have access to with Policy Analyzer, then automatically detect and remove excessive permissions, troubleshoot access issues, and ensure your policies remain secure and optimized over time.
Streamlined deployment of security and governance
Establish a secure foundation for your workforce, workloads, and AI agents. Use Organization Policies to create a centralized hierarchy for all resources. Define a security baseline with custom policies that programmatically enforce guardrails, ensuring human, workload, and agent access remains compliant with corporate policies from day one.
Fine-grained entitlements and just-in-time access
Move beyond broad roles with precise permissions. Use Principal Access Boundary to down-scope agent access from full delegated user permissions. For human administrators, use Privileged Access Manager (PAM) to grant temporary, time-bound access for sensitive tasks, ensuring elevated privileges are never permanent and the "blast radius" of any identity is strictly contained.
Dynamic, context-aware access control
Enforce a comprehensive Zero Trust model with dynamic, attribute-based access. Use Access Context Manager to create fine-grained access rules based on user identity and device context. Then, enforce these rules across your applications and Google Cloud services with Identity-Aware Proxy (IAP) and VPC Service Controls to create a secure, unified perimeter.
How It Works
Start secure with a built-in foundation. Establish governance with custom guardrails. Assign every human and agent an Identity. Deploy defense-in-depth Access Management to dictate what they can do. Finally, evaluate Access Risk to secure the context of every session.
Start secure with a built-in foundation. Establish governance with custom guardrails. Assign every human and agent an Identity. Deploy defense-in-depth Access Management to dictate what they can do. Finally, evaluate Access Risk to secure the context of every session.
Establish verifiable identity
Give every agent a unique, short-lived identity using the SPIFFE framework for secretless mTLS auth. Onboard users by federating your existing identity provider. Eradicate risky keys by allowing keyless multi-cloud or on-prem authentication using Workload identity Federation. Safely orchestrate OAuth flows so agents act for users without ever exposing credentials.
Tutorials, quickstarts, & labs
Give every agent a unique, short-lived identity using the SPIFFE framework for secretless mTLS auth. Onboard users by federating your existing identity provider. Eradicate risky keys by allowing keyless multi-cloud or on-prem authentication using Workload identity Federation. Safely orchestrate OAuth flows so agents act for users without ever exposing credentials.
Enforce intelligent access
Use Gemini Role Picker for roles from natural language. Use IAM Recommender in SCC to remove excessive access. Use Principal Access Boundaries to restrict agents and Organization Policy for hierarchy-wide guardrails. Apply IAM Conditions to enforce context-aware access based on time, device, or resource attributes.
Tutorials, quickstarts, & labs
Use Gemini Role Picker for roles from natural language. Use IAM Recommender in SCC to remove excessive access. Use Principal Access Boundaries to restrict agents and Organization Policy for hierarchy-wide guardrails. Apply IAM Conditions to enforce context-aware access based on time, device, or resource attributes.
Defend the agent interaction
Ringfence Model Context Protocol (MCP) servers and data with VPC Service Controls to prevent exfiltration. Secure all agent interactions—including Agent-to-Agent (A2A) communication—by routing traffic through the Agent Gateway, where Model Armor policies block prompt injections and harmful content. Use Security Command Center (SCC) for centralized threat detection and AI posture management.
Learning resources
Ringfence Model Context Protocol (MCP) servers and data with VPC Service Controls to prevent exfiltration. Secure all agent interactions—including Agent-to-Agent (A2A) communication—by routing traffic through the Agent Gateway, where Model Armor policies block prompt injections and harmful content. Use Security Command Center (SCC) for centralized threat detection and AI posture management.
Pricing
| Included in the Google Cloud Console | All use of Identity and Access Management API is free of charge | |
|---|---|---|
| Package | Description | What's included |
Google Cloud IAM |
|
|
Included in the Google Cloud Console
All use of Identity and Access Management API is free of charge
Google Cloud IAM
- Built-in identity and access management for all your Google Cloud resources.
- Centralized organization policies
- Unlimited custom roles and permissions
- Workforce and Workload Identity Federation
- IAM recommender insights
- No additional cost per user or identity
