Google Vertex AI in Practice

Security Command Center Findings for Vertex AI Workloads

If your organization runs Security Command Center, your Claude-on-Vertex projects will start generating findings. Here is how to read them without either panicking or ignoring them.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Security Command Center (SCC) is Google Cloud's security posture and threat-detection service: it continuously scans your organization's projects and raises findings — records of misconfigurations, risky permissions, or suspicious activity. A project that calls Claude on Vertex AI is, from SCC's point of view, just another Google Cloud project. That is mostly good news: the workload inherits the same posture monitoring as everything else in your estate. But it means someone has to decide which findings against your Claude project actually matter.

One honest caveat up front: SCC's exact finding categories, detectors, and severity labels depend on your SCC tier and change over time — check the official SCC documentation for the current catalogue. What follows is the triage logic, grounded in how Claude on Vertex is actually configured.

The finding themes that matter for a Claude workload

Identity and access findings. The riskiest misconfigurations around a Vertex AI Claude workload are IAM-shaped: broad roles granted at the project or organization level where the workload only needs the Vertex AI User role (roles/aiplatform.user), long-lived service account keys where an attached identity would do, and grants to overly wide principals. When SCC flags over-privileged principals or exposed service account keys in a project that can call Claude, treat it as high priority — that credential can read whatever data your application feeds into prompts.

Logging and monitoring gaps. Data Access audit logs — the log type that records who actually called the model — are disabled by default on Vertex AI. Posture checks that flag incomplete audit logging are worth acting on here: without Data Access logs enabled for aiplatform.googleapis.com, you cannot later answer "who called Claude and when." See the audit logs deep dive.

Network and perimeter findings. If your security architecture expects sensitive projects to sit inside a VPC Service Controls perimeter, findings about resources outside a perimeter deserve attention: Google documents VPC Service Controls as the mechanism that keeps online inference requests and responses from leaving your defined boundary. Related: administrators can restrict endpoint usage via the org policy constraint constraints/gcp.restrictEndpointUsage, so a policy-violation finding may indicate someone routed around your intended regional setup.

Threat detections. Findings driven by anomalous behavior — unusual service account activity, credential use from unexpected locations — apply to Claude projects exactly as to any other. The account that calls Claude at 3 a.m. from a new geography merits the same investigation it would if it were reading a database.

Triage: remediate, accept, or mute

Finding patternUsual disposition
Over-broad IAM roles, user-managed SA keys, public exposure of supporting resources (buckets, functions)Remediate. These are genuine attack surface.
Data Access audit logging disabled on the Vertex projectRemediate — enable it before launch, not after an incident.
Resource outside a VPC-SC perimeter, where the project is a sanctioned exception (e.g. a dev sandbox)Accept with documentation — record the rationale and an expiry date.
Findings about intentional architecture (e.g. use of the global endpoint where residency rules permit it)Accept after confirming it matches your data-residency decision; revisit if policy changes.
Rule of thumb: remediation is for findings that expand who can call the model or read its traffic; acceptance is for findings that merely describe a design choice you made on purpose — and acceptance should always leave a written trail.

Make the workload legible to your security team

SCC triage gets dramatically easier when Claude usage is contained: a dedicated project (or small set of projects) for Claude workloads, least-privilege service accounts per application, and no standing human access in production. That way, "findings affecting our AI workload" is a project filter rather than a manual hunt. Compliance posture is inherited from Google Cloud here — confirm certification and boundary specifics for your industry with your provider rather than assuming.

Where to go next

Pair this with VPC Service Controls for Vertex and org policy constraints for the preventive layer, and the audit log query cookbook for the investigative one.

Sources