Status: OUT
GCP security governance operates through two independent, non-overlapping control planes: IAM controls who can access resources via layered deny-first evaluation with service account hardening, while CMEK controls whether data remains readable at all via key lifecycle — compromising one plane does not compromise the other, but production security requires operating both simultaneously.