Status: OUT
GKE workload security requires mastery of two orthogonal dimensions: naming-dependent identity isolation where namespace/service-account conventions determine IAM identity across clusters (creating cross-cluster identity collisions from naming mistakes), AND the platform's dual IAM/CMEK control planes where access governance and data governance operate independently — making GKE security simultaneously a function of team naming discipline and architectural control-plane design.