This detection rule alerts when a GCP Organization or Folder IAM Policy is changed manually, indicating potential misuse or unauthorized changes to IAM settings. It explicitly monitors the Google Cloud Platform Audit Logs for changes made to IAM policies on organization or folder levels. The rule triggers an alert if changes are detected without going through proper automation methods like Terraform. The intended functionality is to prompt an investigation whenever a user other than an automated service (like Terraform) makes changes, thus safeguarding against improper access rights assignment and preserving the integrity of IAM configurations. The rule incorporates a deduplication period of 1440 minutes and employs the "SetIamPolicy" method to track modifications. The severity of the rule is classified as high, reflecting the criticality of IAM situations in cloud environments. Comprehensive tests validate the functionality of automated and manual change detection, ensuring alerts are generated under expected conditions. A runbook provides instructions for remediation, emphasizing the importance of requesting change management documentation for why any manual changes were necessary and recommends using Terraform for all future policy modifications to maintain consistency and ease of rollback.