https://cloud.google.com/access-transparency Access approval Explicitly approve access to your data or configurations on Google Cloud. Access Approval requests, when combined with Access Transparency logs, can be used to audit an end-to-end chain from support ticket to access request to approval, to eventual access.

To monitor and get notified in case the script causing the Compute Engine instance to crash is executed again, you should create an Alerting Policy in Stackdriver (now known as Google Cloud Monitoring). The Process Health condition can be set to monitor the number of executions of the script and ensure it remains below the desired threshold. By enabling notifications, you will be alerted if this threshold is exceeded.
Step-by-Step:
Log Script Executions: Ensure that the script execution is logged.
Create a User-Defined Metric: Go to Google Cloud Console > Logging > Logs-based Metrics, and create a new user-defined metric that counts the number of times the script executes.
Set Up Alerting Policy:
Navigate to Google Cloud Console > Monitoring > Alerting.
Click on "Create Policy".
Add a condition and select "Logs-based Metric".
Configure the condition to trigger when the number of script executions exceeds the threshold.
Configure Notifications: Add notification channels (email, SMS, etc.) to the alerting policy.
Save and Test: Save the policy and test to ensure notifications are received when the script is executed beyond the threshold.
Google Cloud Logging User-defined Metrics
Google Cloud Monitoring Alerting Policies

To minimize the usage of service account keys and implement Workload Identity Federation (WIF) with your on-premises identity provider, you can use a workload identity pool integrated with your corporate Active Directory Federation Service (ADFS). This setup allows your on-premises Windows-based applications to authenticate to Google Cloud APIs without using long-lived service account keys.
Set Up a Workload Identity Pool:
In the Google Cloud Console, go to IAM & Admin > Workload Identity Federation.
Create a new workload identity pool.
Configure the pool to trust your corporate ADFS by specifying the federation provider details.
Create a Workload Identity Provider:
Within the created pool, set up a new provider for ADFS.
Configure the provider with the necessary details such as the issuer URL and credentials.
Configure Impersonation Rules:
Set up rules to allow principals in the workload identity pool to impersonate specific Google Cloud service accounts.
This is done by specifying the identity provider and the conditions under which the service accounts can be impersonated.
Update Applications:
Modify your on-premises applications to use the configured ADFS authentication to obtain tokens.
These tokens can then be exchanged for Google Cloud access tokens to interact with Google Cloud APIs securely.
By setting up the workload identity pool and configuring impersonation rules, you achieve secure authentication without needing to distribute and manage service account keys.
Workload Identity Federation Documentation
Federating On-Premises Identities to Workload Identity Federation

Titan Security Keys are a physical form of two-step verification (2SV) that provide the highest level of account security by using cryptographic signatures to verify the user and the URL of the login page.
* Cryptographic Security: Titan Security Keys use a hardware-based cryptographic method to authenticate users, which is resistant to phishing attacks. This ensures that the authentication process is secure and not susceptible to being intercepted or spoofed.
* URL Verification: Titan Security Keys verify the URL of the login page during the authentication process, providing an additional layer of security against phishing attempts that may try to redirect users to malicious websites.
* Ease of Use: These keys are easy to use and integrate with Google's 2SV process, providing a seamless and highly secure authentication method for users.
References
* Titan Security Keys