If your team trains models or fine tunes LLMs on Vertex AI, one training permission is all it takes to take over the whole project. TLDR; A principal with one permission aiplatform.customJobs.create can run code as google’s managed Custom Code Service Agent, which hands out a cloud platform token (the exact scope Google’s docs says it can’t have) and can mint tokens for any service account in the project. That is low priv ML role turning into effective project Editor, no actAs, no user interaction.