When using Cloud IAM, you should map IAM policies to functional identities using groups:

• Use individual identity groups as recipients of functional sets of IAM roles, with clear permission scopes and boundaries (org, folder, project, resource).
• Use groups to mirror on-premises workflows (networking, DevOps, etc.) or map to new cloud-specific workflows.
• Sync groups from your source of truth so that its join/leave process is shared.
• Define and enforce a naming convention for group names.
• Minimize the points where IAM policies are applied by using folders.
• Optionally nest groups when specific cross-team functions are shared across different teams.
• Optionally enforce domain membership via the iam.allowedPolicyMemberDomains organizational policy.