Google Vertex AI in Practice

GCP Org Policies That Block Vertex AI Claude Requests

Your code is right, your IAM roles are right, and the request still fails. In a locked-down Google Cloud organization, the culprit is often an organization policy you didn't know existed.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Organization policies (org policies) are Google Cloud's mechanism for setting guardrails across an entire company: which services can be enabled, which regions resources may live in, which API endpoints may be called. They are set by administrators at the organization or folder level and apply to every project underneath. That is exactly what makes them confusing when you're debugging a Claude integration — the policy was probably set by a platform team years ago, it doesn't mention Claude anywhere, and the error it produces rarely says "org policy" in plain words.

The policy that blocks enabling Claude in the first place

Claude is a partner model on Vertex AI: you enable each model through its Model Garden card and accept terms of service. That enablement flow runs through the Cloud Commerce Consumer Procurement API (cloudcommerceconsumerprocurement.googleapis.com). If your organization restricts which services can be used, that API must be allowed — otherwise the "Enable" step in Model Garden fails before you ever make an inference call.

Organizations using Assured Workloads (Google's controlled-environment offering for regulated workloads) hit a stricter version of this: enabling Claude through the Marketplace inside an Assured Workloads boundary may require explicit violation exceptions for cloudcommerceconsumerprocurement.googleapis.com and commerceagreement.googleapis.com. If your compliance team owns that boundary, involve them before the pilot, not after.

The policy that blocks the global endpoint

Claude on Vertex can be called through three endpoint types: global, multi-region (us/eu), and regional. Administrators who need every request to stay in a known geography can set the org policy constraint constraints/gcp.restrictEndpointUsage to block the global endpoint and force regional ones. If your application was built with AnthropicVertex(project_id=..., region="global") and this constraint is active, requests will be rejected even though the same code works fine in an unrestricted project. The fix is to switch to an allowed regional or multi-region endpoint — and note that regional and multi-region endpoints carry a 10% pricing premium over global for Claude Sonnet 4.5 and later models.

Rule of thumb: if a Vertex AI Claude request works in a personal sandbox project but fails in a corporate project with identical code and IAM roles, suspect an org policy before you suspect the SDK.

Policies that break the application around Claude

Some constraints don't target Vertex AI at all but still take your Claude application down. Two common categories, which the exact constraint names in your organization will vary for:

Because constraint names and behavior change over time, check the official org policy constraints reference for the exact identifiers your admin team has set rather than pattern-matching from blog posts.

A practical diagnosis checklist

SymptomLikely policy areaWhat to check
Can't click "Enable" on the Claude Model Garden cardService restrictions on the procurement APIWhether cloudcommerceconsumerprocurement.googleapis.com is allowed; Assured Workloads exceptions
Global endpoint requests rejected; regional worksconstraints/gcp.restrictEndpointUsageEffective policy on your project; switch region parameter
Requests succeed but no logs or exports appearLogging-related constraintsEffective logging policies; audit log configuration

To see what actually applies to your project, ask an administrator to review the effective policy set on the project (org policies inherit down from organization and folders, so the project view is the truth). Also remember two non-policy blockers that look similar: the Vertex AI API (aiplatform.googleapis.com) must be enabled on the project, and Anthropic's reseller policy means a billing account managed by a prohibited reseller cannot accept the Claude terms of service at all.

Where to go next

If policies aren't the problem, work through diagnosing Vertex 403 errors and the IAM roles reference. For endpoint choices, see global vs regional endpoints.

Sources