IAM says the agent may act. Can the customer prove why it did?
This runnable lab composes with Google Cloud controls instead of replacing them. IAM and a Model Armor-shaped content check both return allow. A separate, customer-controlled boundary still refuses a high-blast-radius roles/owner grant until exact, two-person, single-use evidence arrives.
Independent Apache-2.0 demonstration. No Google service is called. Not affiliated with, endorsed by, or deployed at Google. Google Cloud, Gemini, and Model Armor are referenced nominatively to describe the composition boundary.
Five refusals. One mutation. No second chance.
Local authorization and external reliance are different decisions.
The lab does not claim Google Cloud lacks security controls. It demonstrates the complementary artifact a regulated customer needs when the consequence must remain independently explainable after the agent session, vendor log, or cloud account is gone.
The refuse cases are the product claim.
No customer evidence
IAM and content controls allow. The customer-pinned evidence requirement is still unsatisfied. The GCP client is never called.
One signer for a two-person rule
A real device-bound human signoff is valid, but insufficient for a roles/owner mutation requiring quorum.
Viewer evidence presented for Owner
The signed evidence binds roles/viewer. The observed system-of-record call requests roles/owner. Exact-field binding refuses the drift.
Receipt altered after issuance
Changing a signed field breaks the receipt. A structurally plausible object is not accepted evidence.
Exact two-person evidence
Two distinct human ceremonies bind the exact project, member, role, and action. The mutation executes once and emits a reliance packet.
Accepted evidence replayed
The same receipt is presented again. One-time consumption refuses the second mutation.
The production enforcement path, not a policy stub.
The example invokes EMILIA's MCP tool wrapper with the existing Google Cloud action pack and Gate. The valid path uses Ed25519 receipt signing plus WebAuthn-shaped P-256 per-signer evidence. The Gate binds action type, project, member, and role; consumes the receipt once; calls the injected GCP client; and returns an execution-bound reliance packet.
Evidence that the rule ran is not proof the rule was wise.
The lab proves the customer-pinned evidence and execution-binding checks passed for this mutation. It does not prove that granting roles/owner was a good decision, that Google's own control decisions were correct, or that an unmediated write path did not exist. Production deployments must pin real issuer and approver keys, use durable atomic consumption, and mediate every protected mutation path.
Give the lab to the people shipping Google Cloud agents.
The question is intentionally narrow: should a regulated customer be able to pin an evidence requirement that remains independently verifiable after Google-side controls have allowed the call?