GateAgent GuardProtocolObservatoryMCPGovGuardSovereigntyFinGuardQuorumDemoTry itVerifyPricingDocsRequest Pilot
OPEN COMPATIBILITY LAB · GOOGLE CLOUD-SHAPED MUTATION

IAM says the agent may act. Can the customer prove why it did?

This runnable lab composes with Google Cloud controls instead of replacing them. IAM and a Model Armor-shaped content check both return allow. A separate, customer-controlled boundary still refuses a high-blast-radius roles/owner grant until exact, two-person, single-use evidence arrives.

Run the labGoogle Cloud MCP controls

Independent Apache-2.0 demonstration. No Google service is called. Not affiliated with, endorsed by, or deployed at Google. Google Cloud, Gemini, and Model Armor are referenced nominatively to describe the composition boundary.

THE ONE-COMMAND RESULT

Five refusals. One mutation. No second chance.

EXTERNAL RELIANCE LAB
$ node examples/google-cloud-reliance/demo.mjs IAM ALLOW MODEL ARMOR-SHAPED CHECK ALLOW NO CUSTOMER EVIDENCE REFUSE ONE SIGNER / QUORUM RULE REFUSE VIEWER -> OWNER DRIFT REFUSE TAMPERED RECEIPT REFUSE EXACT TWO-PERSON EVIDENCE RELY · EXECUTE ONCE REPLAY REFUSE REAL MUTATION COUNT 1
THE DISTINCTION

Local authorization and external reliance are different decisions.

The lab does not claim Google Cloud lacks security controls. It demonstrates the complementary artifact a regulated customer needs when the consequence must remain independently explainable after the agent session, vendor log, or cloud account is gone.

Google-side controls
Authenticate the caller, apply IAM, govern MCP tools, and inspect calls or responses for security threats.
Customer reliance boundary
Require the exact action to carry sufficient, fresh, unused evidence under a profile the customer controls.
Portable result
Bind the execution to the authorization decision and emit a reliance packet that an auditor can inspect outside the agent runtime.
ATTACK THE BOUNDARY

The refuse cases are the product claim.

REFUSE

No customer evidence

IAM and content controls allow. The customer-pinned evidence requirement is still unsatisfied. The GCP client is never called.

REFUSE

One signer for a two-person rule

A real device-bound human signoff is valid, but insufficient for a roles/owner mutation requiring quorum.

REFUSE

Viewer evidence presented for Owner

The signed evidence binds roles/viewer. The observed system-of-record call requests roles/owner. Exact-field binding refuses the drift.

REFUSE

Receipt altered after issuance

Changing a signed field breaks the receipt. A structurally plausible object is not accepted evidence.

RELY

Exact two-person evidence

Two distinct human ceremonies bind the exact project, member, role, and action. The mutation executes once and emits a reliance packet.

REFUSE

Accepted evidence replayed

The same receipt is presented again. One-time consumption refuses the second mutation.

WHAT ACTUALLY RUNS

The production enforcement path, not a policy stub.

The example invokes EMILIA's MCP tool wrapper with the existing Google Cloud action pack and Gate. The valid path uses Ed25519 receipt signing plus WebAuthn-shaped P-256 per-signer evidence. The Gate binds action type, project, member, and role; consumes the receipt once; calls the injected GCP client; and returns an execution-bound reliance packet.

GCP action pack
MCP tool mapping and exact system-of-record material-field binding.
Quorum verifier
Two distinct human/device ceremonies; a single signer is insufficient.
Consumption store
The accepted receipt can authorize at most one mutation.
Reliance packet
The execution record names the authorization decision it consumed.
HONEST BOUNDARY

Evidence that the rule ran is not proof the rule was wise.

The lab proves the customer-pinned evidence and execution-binding checks passed for this mutation. It does not prove that granting roles/owner was a good decision, that Google's own control decisions were correct, or that an unmediated write path did not exist. Production deployments must pin real issuer and approver keys, use durable atomic consumption, and mediate every protected mutation path.

Give the lab to the people shipping Google Cloud agents.

The question is intentionally narrow: should a regulated customer be able to pin an evidence requirement that remains independently verifiable after Google-side controls have allowed the call?

Inspect the six casesReproduce it with us
External Reliance Lab for Google Cloud MCP | EMILIA Protocol