Discover critical security vulnerabilities in Google Cloud's Identity-Aware Proxy (IAP) through this conference talk that exposes how misconfigurations can lead to data exfiltration even in highly secured environments. Learn about a newly identified IAP vulnerability that enables attackers to bypass network controls and extract data without sending traffic to the public internet, circumventing protections like VPC Service Controls and hardened perimeters. Explore real-world examples of dangerous IAM binding configurations, misplaced trust in user-supplied headers, and overlooked endpoints that expand attack surfaces in GCP environments. Gain deep insights into IAP's internal architecture and mechanisms, understand how subtle configuration errors can compromise supposedly secure cloud infrastructures, and develop practical detection strategies to identify these vulnerabilities. Examine the critical importance of properly defining trust boundaries in Google Cloud Platform and learn to challenge assumptions about IAP as an ultimate security gatekeeper for internal services.