This Google Cloud Platform security best practice is part of the Identity and Access Management security domain.
Personnel, contractors and 3rd party personnel shall only be provided with access to the network and network services that they have been specifically authorized to use.
Cloud IAM lets you control who can access your projects. You can grant and scope permissions to specific GCP resources in your projects. Cloud IAM roles can be granted to a specific Google user account, service account, or group, or to everyone in a domain. You can also set Cloud IAM roles at the organizational level, folder level, or project level to allow projects and resources to inherit the Cloud IAM permissions.
Data and asset owners shall review users’ (personnel, contractors and 3rd party personnel) access rights at regular intervals. Review cycles shall be scheduled either Monthly, Quarterly and Yearly, depending on use and criticality.
Forseti IAM Explain can help with the auditing IAM permissions and custom tools can integrate using our IAM APIs to do audits. You can further enforce domain restricted sharing using domain restricted sharing org policy.