The pattern is always the same: open the GCP console, stare at 200+ bindings, feel overwhelmed, close the tab, promise to do it next month. Repeat.
Scanners exist, but they give you 500 findings and no workflow. You could paste your IAM config into ChatGPT and get a decent analysis, but next month you start from zero. No memory of what you decided, what you accepted, what you flagged.
Qarapace does two things:
1. Structured review workflow. It ranks identities by blast radius and lets you go through them one by one: validate, flag, annotate. Think inbox zero for IAM risks.
2. AI-assisted analysis. Like a code review but for permissions. It flags issues against best practices and explains why something is risky.
The key difference from a one-shot AI analysis: decisions persist. Each monthly review works on the delta. Over time you get an audit trail of security reasoning, not just a snapshot.
Stack: Angular, Firebase, Cloud Functions. Each client provides their own read-only service account key (encrypted with Cloud KMS, never stored in plaintext).
It's early and I'm the only user. Looking for feedback, especially from anyone who does (or avoids) periodic IAM reviews.