This detection rule is designed to identify instances where a non-corporate Gmail account is being utilized instead of a corporate email within Google Cloud Platform's Identity and Access Management (IAM) settings. The primary focus of the rule is to ensure that only validated corporate accounts are used for accessing and managing Google Cloud resources. The rule leverages GCP Audit Logs to monitor changes to IAM policies, specifically looking for events where a user with a Gmail address is added to an IAM policy. If a Gmail account is detected, the rule flags this as a potential security risk, given that it could indicate unauthorized or non-compliant access to sensitive resources. The severity of this alert is classified as low, but it still requires attention due to potential implications for security and compliance protocols. The associated runbook suggests the removal of such users, reinforcing the importance of adhering to corporate policies regarding account usage.