Why it matters
IAM is the top control plane for security. Getting it right prevents most breach patterns. GCP's hierarchical model is often cleaner than AWS's for organizations that map to it well.
The architecture
Principals are users (Google accounts), groups, service accounts, and workload identities. Service accounts are especially important — they're the identity of running code.
Roles are collections of permissions. Predefined roles (roles/storage.admin, roles/compute.viewer) cover common cases. Custom roles let you define your own permission bundles.
How it works end to end
IAM policies attach to resources. A policy is a set of bindings: (role, principal) pairs. Policies are inherited: a role granted at the folder level applies to every project in the folder and every resource in those projects.
Conditional bindings add context: time-of-day restrictions, resource-tag restrictions, IP-address restrictions.
Workload Identity Federation lets external identities (AWS, Azure, on-prem) assume GCP service accounts without service account keys.