Gemini Cloud Assist operates using two distinct identity modes to manage permissions and auditing. The mode used depends on how an action is triggered: interactively by a user or proactively by the system.
Identity modes summary
The following table summarizes the security and permission models for each mode:
| Identity mode | Trigger | Permission source |
|---|---|---|
| End-user identity | Chat and interactive requests | Your personal IAM permissions |
| Agent identity | Autonomous background tasks | A dedicated service account |
End-user identity
When you interact with Gemini Cloud Assist through the chat panel or use interactive actions, the service uses your end-user identity.
In this mode, Gemini Cloud Assist inherits your existing permissions to access resources and perform actions. The assistant cannot see or modify any resource that you don't have permission to access yourself. All state-changing actions, known as resource mutations, require your explicit consent and are recorded in Cloud Audit Logs under your identity.
Agent identity
When Gemini Cloud Assist performs autonomous background tasks—such as investigating alerts or analyzing cost anomalies—it uses a dedicated agent identity. Proactive investigation of alerts does not support log-based alerts.
The agent identity is a system-provisioned IAM principal unique to your project. This allows Gemini Cloud Assist to function without an active user session while maintaining a strict security boundary.
Governance and controls
Administrators manage the agent identity through the following mechanisms:
- Configurable permissions: Unlike user identities, an administrator must explicitly grant IAM roles to the agent identity.
- Scoped access: By default, the agent is restricted to read-only telemetry and logs. It cannot access sensitive data in databases or storage buckets unless specifically authorized.
- Audit logging: All autonomous actions are fully audit-logged. Proactive results are tagged as System generated in the Google Cloud console to distinguish them from user-initiated actions.
What's next
- Set up Proactive Mode and provision an agent identity.
- Learn how to configure proactive investigations for alert policies.
- Review IAM requirements for users and agents.