{"id":"gke-identity-isolation-shifts-risk-to-namespace-discipline","text":"GKE Workload Identity addresses service account key risks (dual nature, default editor role, impersonation surface) but shifts security requirements to namespace and naming discipline — same namespace + same KSA name = same GCP identity regardless of intent, requiring organizational practices rather than just enabling the feature.","truth_value":"OUT","source":"","source_url":"","source_hash":"","justifications":[],"dependents":[],"metadata":{"_retracted":true},"explanation":{"steps":[{"node":"gke-identity-isolation-shifts-risk-to-namespace-discipline","truth_value":"OUT","reason":"retracted premise"}]}}