diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml
index e8743405..584462af 100644
--- a/.github/workflows/documentation.yaml
+++ b/.github/workflows/documentation.yaml
@@ -11,6 +11,7 @@ jobs:
       fail-fast: false
       matrix:
         module:
+          - audit-serviceaccount
           - authorize-private-service
           - bucket-events
           - cloudevent-broker
diff --git a/modules/audit-serviceaccount/README.md b/modules/audit-serviceaccount/README.md
new file mode 100644
index 00000000..e8f9dfa4
--- /dev/null
+++ b/modules/audit-serviceaccount/README.md
@@ -0,0 +1,73 @@
+# `audit-serviceaccount`
+
+This module creates an alert policy to monitor the principals that are
+generating tokens for a particular service account.
+
+The set of authorized principals can be enumerated explicitly:
+```hcl
+module "audit-foo-usage" {
+  source = "chainguard-dev/common/infra//modules/audit-serviceaccount"
+
+  project_id      = var.project_id
+  service-account = google_service_account.foo.email
+
+  allowed_principals = [
+    # Only GKE should generate tokens for this service account.
+    "serviceAccount:${var.project_id}.svc.id.goog[foo-system/foo]",
+  ]
+
+  notification_channels = var.notification_channels
+}
+```
+
+Or a regular expression can be provided for the allowed principals:
+```hcl
+module "audit-foo-usage" {
+  source = "chainguard-dev/common/infra//modules/audit-serviceaccount"
+
+  project_id      = var.project_id
+  service-account = google_service_account.foo.email
+
+  # Match v1.2.3 style tags on this repository.
+  allowed_principal_regex = "principal://iam[.]googleapis[.]com/${google_iam_workload_identity_pool.pool.name}/subject/repo:chainguard-dev/terraform-infra-common:ref:refs/tags/v[0-9]+[.][0-9]+[.][0-9]+"
+
+  notification_channels = var.notification_channels
+}
+```
+
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_monitoring_alert_policy.generate-access-token](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_allowed_principal_regex"></a> [allowed\_principal\_regex](#input\_allowed\_principal\_regex) | A regular expression to match allowed principals. | `string` | `""` | no |
+| <a name="input_allowed_principals"></a> [allowed\_principals](#input\_allowed\_principals) | The list of principals authorized to assume this identity. | `list(string)` | `[]` | no |
+| <a name="input_notification_channels"></a> [notification\_channels](#input\_notification\_channels) | The list of notification channels to alert when this policy fires. | `list(string)` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |
+| <a name="input_service-account"></a> [service-account](#input\_service-account) | The email of the service account being audited. | `string` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/modules/audit-serviceaccount/main.tf b/modules/audit-serviceaccount/main.tf
new file mode 100644
index 00000000..cbb75ffd
--- /dev/null
+++ b/modules/audit-serviceaccount/main.tf
@@ -0,0 +1,43 @@
+resource "google_monitoring_alert_policy" "generate-access-token" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Access Token Generation: ${var.service-account}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Access Token Generation"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
+      protoPayload.request.name="projects/-/serviceAccounts/${var.service-account}"
+      protoPayload.serviceName="iamcredentials.googleapis.com"
+      protoPayload.methodName="GenerateAccessToken"
+
+      -- Allow these principals to generate tokens.
+      ${join("\n", [for principal in var.allowed_principals : "-protoPayload.authenticationInfo.principalSubject=\"${principal}\""])}
+      ${var.allowed_principal_regex != "" ? "-protoPayload.authenticationInfo.principalSubject=~\"${var.allowed_principal_regex}\"" : ""}
+      EOT
+
+      label_extractors = {
+        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+        "method_name" = "EXTRACT(protoPayload.methodName)"
+        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+      }
+    }
+  }
+
+  notification_channels = var.notification_channels
+
+  enabled = "true"
+  project = var.project_id
+}
diff --git a/modules/audit-serviceaccount/variables.tf b/modules/audit-serviceaccount/variables.tf
new file mode 100644
index 00000000..148c1966
--- /dev/null
+++ b/modules/audit-serviceaccount/variables.tf
@@ -0,0 +1,25 @@
+variable "project_id" {
+  type = string
+}
+
+variable "service-account" {
+  description = "The email of the service account being audited."
+  type        = string
+}
+
+variable "allowed_principals" {
+  description = "The list of principals authorized to assume this identity."
+  type        = list(string)
+  default     = []
+}
+
+variable "allowed_principal_regex" {
+  description = "A regular expression to match allowed principals."
+  type        = string
+  default     = ""
+}
+
+variable "notification_channels" {
+  description = "The list of notification channels to alert when this policy fires."
+  type        = list(string)
+}
diff --git a/modules/bucket-events/README.md b/modules/bucket-events/README.md
index d45f5e37..18ab11e2 100644
--- a/modules/bucket-events/README.md
+++ b/modules/bucket-events/README.md
@@ -80,6 +80,7 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_audit-delivery-serviceaccount"></a> [audit-delivery-serviceaccount](#module\_audit-delivery-serviceaccount) | ../audit-serviceaccount | n/a |
 | <a name="module_authorize-delivery"></a> [authorize-delivery](#module\_authorize-delivery) | ../authorize-private-service | n/a |
 | <a name="module_http"></a> [http](#module\_http) | ../dashboard/sections/http | n/a |
 | <a name="module_layout"></a> [layout](#module\_layout) | ../dashboard/sections/layout | n/a |
diff --git a/modules/bucket-events/main.tf b/modules/bucket-events/main.tf
index f8f621e5..77ae5e9c 100644
--- a/modules/bucket-events/main.tf
+++ b/modules/bucket-events/main.tf
@@ -55,6 +55,22 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" {
   members = ["serviceAccount:${google_project_service_identity.pubsub.email}"]
 }
 
+module "audit-delivery-serviceaccount" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  source = "../audit-serviceaccount"
+
+  project_id      = var.project_id
+  service-account = google_service_account.delivery.email
+
+  # The absence of authorized identities here means that
+  # nothing is authorized to act as this service account.
+  # Note: Cloud Pub/Sub's usage doesn't show up in the
+  # audit logs.
+
+  notification_channels = var.notification_channels
+}
+
 module "this" {
   source     = "../regional-go-service"
   project_id = var.project_id
diff --git a/modules/cloudevent-recorder/README.md b/modules/cloudevent-recorder/README.md
index 02f94a39..ed76be57 100644
--- a/modules/cloudevent-recorder/README.md
+++ b/modules/cloudevent-recorder/README.md
@@ -93,6 +93,7 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_audit-import-serviceaccount"></a> [audit-import-serviceaccount](#module\_audit-import-serviceaccount) | ../audit-serviceaccount | n/a |
 | <a name="module_recorder-dashboard"></a> [recorder-dashboard](#module\_recorder-dashboard) | ../dashboard/cloudevent-receiver | n/a |
 | <a name="module_this"></a> [this](#module\_this) | ../regional-go-service | n/a |
 | <a name="module_triggers"></a> [triggers](#module\_triggers) | ../cloudevent-trigger | n/a |
@@ -107,6 +108,7 @@ No requirements.
 | [google_bigquery_table.types](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table) | resource |
 | [google_bigquery_table_iam_binding.import-writes-to-tables](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_table_iam_binding) | resource |
 | [google_monitoring_alert_policy.bq_dts](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
+| [google_monitoring_alert_policy.bucket-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_pubsub_subscription.dead-letter-pull-sub](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
 | [google_pubsub_subscription.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
 | [google_pubsub_subscription_iam_binding.allow-pubsub-to-ack](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam_binding) | resource |
diff --git a/modules/cloudevent-recorder/bigquery.tf b/modules/cloudevent-recorder/bigquery.tf
index 64a3b212..c2b85b7c 100644
--- a/modules/cloudevent-recorder/bigquery.tf
+++ b/modules/cloudevent-recorder/bigquery.tf
@@ -74,6 +74,22 @@ resource "google_service_account_iam_binding" "provisioner-acts-as-import-identi
   members            = [var.provisioner]
 }
 
+module "audit-import-serviceaccount" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  source = "../audit-serviceaccount"
+
+  project_id      = var.project_id
+  service-account = google_service_account.import-identity.email
+
+  # The absence of authorized identities here means that
+  # nothing is authorized to act as this service account.
+  # Note: BigQuery DTS's usage doesn't show up in the
+  # audit logs.
+
+  notification_channels = var.notification_channels
+}
+
 // Create a BQ DTS job for each of the regions x types pulling from the appropriate buckets and paths.
 resource "google_bigquery_data_transfer_config" "import-job" {
   for_each = local.regional-types
diff --git a/modules/cloudevent-recorder/main.tf b/modules/cloudevent-recorder/main.tf
index 4dbf9938..645d0129 100644
--- a/modules/cloudevent-recorder/main.tf
+++ b/modules/cloudevent-recorder/main.tf
@@ -50,3 +50,70 @@ resource "google_storage_bucket" "recorder" {
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
+resource "google_monitoring_alert_policy" "bucket-access" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Event Bucket Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Bucket Access"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
+      protoPayload.serviceName="storage.googleapis.com"
+      protoPayload.resourceName=~"projects/_/buckets/${var.name}-(${join("|", keys(var.regions))})-${random_id.suffix.hex}"
+
+      -- Exclude things that happen during terraform plan.
+      -protoPayload.methodName=("storage.buckets.get")
+
+      -- Don't alert if someone just opens the bucket list in the UI
+      -protoPayload.methodName=("storage.managedFolders.list")
+
+      -- The recorder service write objects into the bucket.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${google_service_account.recorder.email}"
+        protoPayload.methodName="storage.objects.create"
+      )
+
+      -- The importer identity (used by DTS) enumerates and reads objects.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${google_service_account.import-identity.email}"
+        protoPayload.methodName=("storage.objects.get" OR "storage.objects.list")
+      )
+
+      -- Our CI identity reconciles the bucket.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
+        protoPayload.methodName=("storage.getIamPermissions")
+      )
+
+      -- Security scanners frequently probe for public buckets via listing buckets
+      -- and then getting permissions, so we ignore these even though they pierce
+      -- the abstraction.
+      -protoPayload.methodName="storage.getIamPermissions"
+      EOT
+
+      label_extractors = {
+        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+        "method_name" = "EXTRACT(protoPayload.methodName)"
+        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+      }
+    }
+  }
+
+  notification_channels = var.notification_channels
+
+  enabled = "true"
+  project = var.project_id
+}
diff --git a/modules/cloudevent-trigger/README.md b/modules/cloudevent-trigger/README.md
index c416f092..a687da20 100644
--- a/modules/cloudevent-trigger/README.md
+++ b/modules/cloudevent-trigger/README.md
@@ -92,6 +92,7 @@ No requirements.
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_audit-trigger-serviceaccount"></a> [audit-trigger-serviceaccount](#module\_audit-trigger-serviceaccount) | ../audit-serviceaccount | n/a |
 | <a name="module_authorize-delivery"></a> [authorize-delivery](#module\_authorize-delivery) | ../authorize-private-service | n/a |
 
 ## Resources
diff --git a/modules/cloudevent-trigger/main.tf b/modules/cloudevent-trigger/main.tf
index c0dd607b..a79115c7 100644
--- a/modules/cloudevent-trigger/main.tf
+++ b/modules/cloudevent-trigger/main.tf
@@ -30,6 +30,22 @@ resource "google_service_account_iam_binding" "allow-pubsub-to-mint-tokens" {
   members = ["serviceAccount:${google_project_service_identity.pubsub.email}"]
 }
 
+module "audit-trigger-serviceaccount" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  source = "../audit-serviceaccount"
+
+  project_id      = var.project_id
+  service-account = google_service_account.this.email
+
+  # The absence of authorized identities here means that
+  # nothing is authorized to act as this service account.
+  # Note: Cloud Pub/Sub's usage doesn't show up in the
+  # audit logs.
+
+  notification_channels = var.notification_channels
+}
+
 // Authorize this service account to invoke the private service receiving
 // events from this trigger.
 module "authorize-delivery" {
diff --git a/modules/configmap/README.md b/modules/configmap/README.md
index 994bf245..2c845283 100644
--- a/modules/configmap/README.md
+++ b/modules/configmap/README.md
@@ -22,7 +22,7 @@ module "my-configmap" {
   EOT
 
   # Optionally: channels to notify if this configuration is manipulated.
-  notification-channels = [ ... ]
+  notification_channels = [ ... ]
 }
 
 module "foo-service" {
@@ -77,6 +77,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [google_monitoring_alert_policy.anomalous-secret-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_secret_manager_secret.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
 | [google_secret_manager_secret_iam_binding.authorize-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_binding) | resource |
 | [google_secret_manager_secret_version.data](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) | resource |
@@ -89,7 +90,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_data"></a> [data](#input\_data) | The data to place in the secret. | `string` | n/a | yes |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the secret. | `string` | n/a | yes |
-| <a name="input_notification-channels"></a> [notification-channels](#input\_notification-channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes |
+| <a name="input_notification_channels"></a> [notification\_channels](#input\_notification\_channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |
 | <a name="input_service-account"></a> [service-account](#input\_service-account) | The email of the service account that will access the secret. | `string` | n/a | yes |
 
diff --git a/modules/configmap/main.tf b/modules/configmap/main.tf
index a91e401c..79481eee 100644
--- a/modules/configmap/main.tf
+++ b/modules/configmap/main.tf
@@ -28,3 +28,57 @@ data "google_project" "project" { project_id = var.project_id }
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
+// Create an alert policy to notify if the secret is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-secret-access" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal ConfigMap Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal ConfigMap Access: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      -- This looks at logs from both data_access and activity, so we don't filter on either here.
+      protoPayload.serviceName="secretmanager.googleapis.com"
+      (
+        protoPayload.request.name: ("projects/${var.project_id}/secrets/${var.name}/" OR "projects/${data.google_project.project.number}/secrets/${var.name}/") OR
+        protoPayload.request.parent=("projects/${var.project_id}/secrets/${var.name}" OR "projects/${data.google_project.project.number}/secrets/${var.name}")
+      )
+
+      -- Ignore the identity that is intended to access this.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${var.service-account}"
+        protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
+      )
+
+      -- Ignore the identity as which we set this up.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
+        protoPayload.methodName=("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.GetSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.EnableSecretVersion")
+      )
+      EOT
+
+      label_extractors = {
+        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+        "method_name" = "EXTRACT(protoPayload.methodName)"
+        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+      }
+    }
+  }
+
+  notification_channels = var.notification_channels
+
+  enabled = "true"
+  project = var.project_id
+}
diff --git a/modules/configmap/variables.tf b/modules/configmap/variables.tf
index f46502be..47de0f04 100644
--- a/modules/configmap/variables.tf
+++ b/modules/configmap/variables.tf
@@ -17,7 +17,7 @@ variable "service-account" {
   type        = string
 }
 
-variable "notification-channels" {
+variable "notification_channels" {
   description = "The channels to notify if the configuration data is improperly accessed."
   type        = list(string)
 }
diff --git a/modules/cron/README.md b/modules/cron/README.md
index 8f9fc310..ea97c3c9 100644
--- a/modules/cron/README.md
+++ b/modules/cron/README.md
@@ -70,7 +70,10 @@ No requirements.
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_audit-cronjob-serviceaccount"></a> [audit-cronjob-serviceaccount](#module\_audit-cronjob-serviceaccount) | ../audit-serviceaccount | n/a |
+| <a name="module_audit-delivery-serviceaccount"></a> [audit-delivery-serviceaccount](#module\_audit-delivery-serviceaccount) | ../audit-serviceaccount | n/a |
 
 ## Resources
 
@@ -79,6 +82,8 @@ No modules.
 | [google-beta_google_cloud_run_v2_job.job](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_cloud_run_v2_job) | resource |
 | [google_cloud_run_v2_job_iam_binding.authorize-calls](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_job_iam_binding) | resource |
 | [google_cloud_scheduler_job.cron](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_scheduler_job) | resource |
+| [google_monitoring_alert_policy.anomalous-job-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
+| [google_monitoring_alert_policy.anomalous-job-execution](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_monitoring_alert_policy.success](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_project_iam_member.authorize-list](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.metrics-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
diff --git a/modules/cron/main.tf b/modules/cron/main.tf
index 876b735a..3e70d16a 100644
--- a/modules/cron/main.tf
+++ b/modules/cron/main.tf
@@ -18,6 +18,20 @@ resource "google_project_service" "cloudscheduler" {
   disable_on_destroy = false
 }
 
+module "audit-cronjob-serviceaccount" {
+  source = "../audit-serviceaccount"
+
+  project_id      = var.project_id
+  service-account = var.service_account
+
+  # The absence of authorized identities here means that
+  # nothing is authorized to act as this service account.
+  # Note: Cloud Run's usage doesn't show up in the
+  # audit logs.
+
+  notification_channels = var.notification_channels
+}
+
 locals {
   repo = var.repository != "" ? var.repository : "gcr.io/${var.project_id}/${var.name}"
 }
@@ -203,6 +217,22 @@ resource "google_service_account" "delivery" {
   display_name = "Dedicated service account for invoking ${google_cloud_run_v2_job.job.name}."
 }
 
+module "audit-delivery-serviceaccount" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  source = "../audit-serviceaccount"
+
+  project_id      = var.project_id
+  service-account = google_service_account.delivery.email
+
+  # The absence of authorized identities here means that
+  # nothing is authorized to act as this service account.
+  # Note: Cloud Scheduler's usage doesn't show up in the
+  # audit logs.
+
+  notification_channels = var.notification_channels
+}
+
 resource "google_cloud_run_v2_job_iam_binding" "authorize-calls" {
   project  = google_cloud_run_v2_job.job.project
   location = google_cloud_run_v2_job.job.location
@@ -252,6 +282,109 @@ data "google_project" "project" { project_id = var.project_id }
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
+// Create an alert policy to notify if the job is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-job-access" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal CronJob Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal CronJob Access: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
+      protoPayload.serviceName="run.googleapis.com"
+      protoPayload.resourceName=("${join("\" OR \"", [
+      "namespaces/${var.project_id}/jobs/${var.name}-cron",
+      "projects/${var.project_id}/locations/${var.region}/jobs/${var.name}-cron",
+      ])}")
+
+      -- Allow CI to reconcile jobs and their IAM policies.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
+        protoPayload.methodName=("${join("\" OR \"", [
+      "google.cloud.run.v2.Jobs.CreateJob",
+      "google.cloud.run.v2.Jobs.UpdateJob",
+      "google.cloud.run.v2.Jobs.SetIamPolicy",
+])}")
+      )
+      -(
+        protoPayload.authenticationInfo.principalEmail=~"${join("|", concat(var.invokers, [data.google_client_openid_userinfo.me.email]))}"
+        protoPayload.methodName="google.cloud.run.v1.Jobs.RunJob"
+      )
+      EOT
+
+label_extractors = {
+  "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+  "method_name" = "EXTRACT(protoPayload.methodName)"
+  "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+}
+}
+}
+
+notification_channels = var.notification_channels
+
+enabled = "true"
+project = var.project_id
+}
+
+// Create an alert policy to notify if the job is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-job-execution" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Job Execution: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal Job Execution: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
+      protoPayload.serviceName="run.googleapis.com"
+      protoPayload.methodName="google.cloud.run.v1.Jobs.RunJob"
+      protoPayload.resourceName=("${join("\" OR \"", [
+      "namespaces/${var.project_id}/jobs/${var.name}-cron",
+      "projects/${var.project_id}/locations/${var.region}/jobs/${var.name}-cron",
+])}")
+
+      -- Allow the delivery service account to run the job, but flag anyone else
+      -protoPayload.authenticationInfo.principalEmail=~"${join("|", [google_service_account.delivery.email, data.google_client_openid_userinfo.me.email])}"
+      EOT
+
+label_extractors = {
+  "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+  "method_name" = "EXTRACT(protoPayload.methodName)"
+  "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+}
+}
+}
+
+notification_channels = var.notification_channels
+
+enabled = "true"
+project = var.project_id
+}
+
+
 resource "google_monitoring_alert_policy" "success" {
   count = var.success_alert_alignment_period_seconds == 0 ? 0 : 1
 
diff --git a/modules/github-events/main.tf b/modules/github-events/main.tf
index eaad5f58..3a92bfc0 100644
--- a/modules/github-events/main.tf
+++ b/modules/github-events/main.tf
@@ -21,7 +21,7 @@ module "webhook-secret" {
   service-account  = google_service_account.service.email
   authorized-adder = var.secret_version_adder
 
-  notification-channels = var.notification_channels
+  notification_channels = var.notification_channels
 }
 
 module "this" {
diff --git a/modules/github-gsa/README.md b/modules/github-gsa/README.md
index 47c7708c..2182640c 100644
--- a/modules/github-gsa/README.md
+++ b/modules/github-gsa/README.md
@@ -42,7 +42,9 @@ No requirements.
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_audit-usage"></a> [audit-usage](#module\_audit-usage) | ../audit-serviceaccount | n/a |
 
 ## Resources
 
diff --git a/modules/github-gsa/main.tf b/modules/github-gsa/main.tf
index e661e3ad..33547c00 100644
--- a/modules/github-gsa/main.tf
+++ b/modules/github-gsa/main.tf
@@ -132,3 +132,17 @@ resource "google_service_account_iam_binding" "allow-impersonation" {
     }
   }
 }
+
+// Create an auditing policy to ensure that tokens are only issued for identities
+// matching our expectations.
+module "audit-usage" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  source = "../audit-serviceaccount"
+
+  project_id      = var.project_id
+  service-account = google_service_account.this.email
+
+  allowed_principal_regex = local.principalSubject
+  notification_channels   = var.notification_channels
+}
diff --git a/modules/regional-go-service/main.tf b/modules/regional-go-service/main.tf
index 068c892e..68f6a8c9 100644
--- a/modules/regional-go-service/main.tf
+++ b/modules/regional-go-service/main.tf
@@ -76,6 +76,11 @@ moved {
   to   = module.this.google_cloud_run_v2_service.this
 }
 
+moved {
+  from = google_monitoring_alert_policy.anomalous-service-access
+  to   = module.this.google_monitoring_alert_policy.anomalous-service-access
+}
+
 moved {
   from = google_monitoring_alert_policy.bad-rollout
   to   = module.this.google_monitoring_alert_policy.bad-rollout
diff --git a/modules/regional-service/README.md b/modules/regional-service/README.md
index 1c45d454..d732ef28 100644
--- a/modules/regional-service/README.md
+++ b/modules/regional-service/README.md
@@ -65,7 +65,9 @@ No requirements.
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_audit-serviceaccount"></a> [audit-serviceaccount](#module\_audit-serviceaccount) | ../audit-serviceaccount | n/a |
 
 ## Resources
 
@@ -73,6 +75,7 @@ No modules.
 |------|------|
 | [google-beta_google_cloud_run_v2_service.this](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_cloud_run_v2_service) | resource |
 | [google_cloud_run_v2_service_iam_member.public-services-are-unauthenticated](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service_iam_member) | resource |
+| [google_monitoring_alert_policy.anomalous-service-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_project_iam_member.metrics-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.profiler-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.trace-writer](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
diff --git a/modules/regional-service/main.tf b/modules/regional-service/main.tf
index e0b8a0ee..0cb60d94 100644
--- a/modules/regional-service/main.tf
+++ b/modules/regional-service/main.tf
@@ -1,3 +1,18 @@
+module "audit-serviceaccount" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  source = "../audit-serviceaccount"
+
+  project_id      = var.project_id
+  service-account = var.service_account
+
+  # The absence of authorized identities here means that
+  # nothing is authorized to act as this service account.
+  # Note: Cloud Run's usage doesn't show up in the audit logs.
+
+  notification_channels = var.notification_channels
+}
+
 resource "google_project_iam_member" "metrics-writer" {
   project = var.project_id
   role    = "roles/monitoring.metricWriter"
@@ -267,6 +282,61 @@ data "google_project" "project" { project_id = var.project_id }
 // What identity is deploying this?
 data "google_client_openid_userinfo" "me" {}
 
+// Create an alert policy to notify if the service is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-service-access" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Service Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal Service Access: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName="projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
+      protoPayload.serviceName="run.googleapis.com"
+      protoPayload.resourceName=("${join("\" OR \"", concat([
+      "namespaces/${var.project_id}/services/${var.name}"
+    ],
+    [
+      for region in keys(var.regions) : "projects/${var.project_id}/locations/${region}/services/${var.name}"
+    ]))}")
+
+      -- Allow CI to reconcile services and their IAM policies.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
+        protoPayload.methodName=("${join("\" OR \"", [
+    "google.cloud.run.v2.Services.CreateService",
+    "google.cloud.run.v2.Services.UpdateService",
+    "google.cloud.run.v2.Services.SetIamPolicy",
+])}")
+      )
+      EOT
+
+label_extractors = {
+  "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+  "method_name" = "EXTRACT(protoPayload.methodName)"
+  "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+}
+}
+}
+
+notification_channels = var.notification_channels
+
+enabled = "true"
+project = var.project_id
+}
+
 // When the service is behind a load balancer, then it is publicly exposed and responsible
 // for handling its own authentication.
 resource "google_cloud_run_v2_service_iam_member" "public-services-are-unauthenticated" {
diff --git a/modules/secret/README.md b/modules/secret/README.md
index 5856a0f0..309cd794 100644
--- a/modules/secret/README.md
+++ b/modules/secret/README.md
@@ -21,7 +21,7 @@ module "my-secret" {
   authorized-adder = "group:oncall@my-corp.dev"
 
   # Optionally: channels to notify if this secret is manipulated.
-  notification-channels = [ ... ]
+  notification_channels = [ ... ]
 }
 
 module "foo-service" {
@@ -90,7 +90,7 @@ No modules.
 | <a name="input_authorized-adder"></a> [authorized-adder](#input\_authorized-adder) | A member-style representation of the identity authorized to add new secret values (e.g. group:oncall@my-corp.dev). | `string` | n/a | yes |
 | <a name="input_create_placeholder_version"></a> [create\_placeholder\_version](#input\_create\_placeholder\_version) | Whether to create a placeholder secret version to avoid bad reference on first deploy. | `bool` | `false` | no |
 | <a name="input_name"></a> [name](#input\_name) | The name to give the secret. | `string` | n/a | yes |
-| <a name="input_notification-channels"></a> [notification-channels](#input\_notification-channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes |
+| <a name="input_notification_channels"></a> [notification\_channels](#input\_notification\_channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |
 | <a name="input_service-account"></a> [service-account](#input\_service-account) | The email of the service account that will access the secret. | `string` | n/a | yes |
 
diff --git a/modules/secret/main.tf b/modules/secret/main.tf
index 3beb9ff4..c5a5167c 100644
--- a/modules/secret/main.tf
+++ b/modules/secret/main.tf
@@ -41,6 +41,8 @@ data "google_project" "project" { project_id = var.project_id }
 
 // Create an alert policy to notify if the secret is accessed by an unauthorized entity.
 resource "google_monitoring_alert_policy" "anomalous-secret-access" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
   # In the absence of data, incident will auto-close after an hour
   alert_strategy {
     auto_close = "3600s"
@@ -80,7 +82,7 @@ resource "google_monitoring_alert_policy" "anomalous-secret-access" {
     }
   }
 
-  notification_channels = var.notification-channels
+  notification_channels = var.notification_channels
 
   enabled = "true"
   project = var.project_id
diff --git a/modules/secret/variables.tf b/modules/secret/variables.tf
index 89c6a005..f0df212f 100644
--- a/modules/secret/variables.tf
+++ b/modules/secret/variables.tf
@@ -17,7 +17,7 @@ variable "service-account" {
   type        = string
 }
 
-variable "notification-channels" {
+variable "notification_channels" {
   description = "The channels to notify if the configuration data is improperly accessed."
   type        = list(string)
 }
diff --git a/modules/serverless-gclb/README.md b/modules/serverless-gclb/README.md
index 6daf836b..30696365 100644
--- a/modules/serverless-gclb/README.md
+++ b/modules/serverless-gclb/README.md
@@ -95,6 +95,7 @@ No modules.
 | [google_compute_target_https_proxy.public-service](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_target_https_proxy) | resource |
 | [google_compute_url_map.public-service](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_url_map) | resource |
 | [google_dns_record_set.public-service](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_record_set) | resource |
+| [google_monitoring_alert_policy.abnormal-gclb-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
 | [google_client_openid_userinfo.me](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_openid_userinfo) | data source |
 
 ## Inputs
diff --git a/modules/serverless-gclb/main.tf b/modules/serverless-gclb/main.tf
index 030b395d..d385e35a 100644
--- a/modules/serverless-gclb/main.tf
+++ b/modules/serverless-gclb/main.tf
@@ -165,3 +165,47 @@ locals {
   )
 }
 
+resource "google_monitoring_alert_policy" "abnormal-gclb-access" {
+  count = length(var.notification_channels) > 0 ? 1 : 0
+
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal GCLB Access"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Anomaly detected"
+
+    condition_matched_log {
+      filter = <<EOT
+      logName=(
+          "projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Factivity"
+       OR "projects/${var.project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"
+      )
+
+      protoPayload.resourceName=("${join("\" OR \"", local.audited-resources)}")
+      -- Allows robots
+      -protoPayload.authenticationInfo.principalEmail=("${join("\" OR \"", local.authorized-accounts)}")
+      -- Allow read-only operations
+      -protoPayload.methodName=~(".*\.get.*" OR ".*\.list.*" OR ".*\.aggregatedList")
+EOT
+      label_extractors = {
+        "email"       = "EXTRACT(protoPayload.authenticationInfo.principalEmail)"
+        "method_name" = "EXTRACT(protoPayload.methodName)"
+        "user_agent"  = "REGEXP_EXTRACT(protoPayload.requestMetadata.callerSuppliedUserAgent, \"(\\\\S+)\")"
+      }
+    }
+  }
+
+  notification_channels = var.notification_channels
+
+  enabled = "true"
+  project = var.project_id
+}
diff --git a/modules/workqueue/dashboard.tf b/modules/workqueue/dashboard.tf
index ba748834..0885861e 100644
--- a/modules/workqueue/dashboard.tf
+++ b/modules/workqueue/dashboard.tf
@@ -48,7 +48,7 @@ module "work-added" {
     "metric.type=\"prometheus.googleapis.com/workqueue_added_keys_total/counter\"",
     "metric.label.\"service_name\"=\"${var.name}-rcv\"",
   ]
-  group_by_fields = ["metric.label.\"service_name\""]
+  group_by_fields  = ["metric.label.\"service_name\""]
   primary_align    = "ALIGN_RATE"
   primary_reduce   = "REDUCE_NONE"
   secondary_align  = "ALIGN_NONE"
diff --git a/modules/workqueue/dispatcher.tf b/modules/workqueue/dispatcher.tf
index 4e64fb9d..864d9898 100644
--- a/modules/workqueue/dispatcher.tf
+++ b/modules/workqueue/dispatcher.tf
@@ -47,7 +47,7 @@ module "dispatcher-service" {
         importpath  = "github.com/chainguard-dev/terraform-infra-common/modules/workqueue/cmd/dispatcher"
       }
       ports = [{
-        name = "h2c"
+        name           = "h2c"
         container_port = 8080
       }]
       env = [
@@ -99,7 +99,7 @@ module "cron-trigger-calls-dispatcher" {
 
   source = "../authorize-private-service"
 
-  depends_on = [ module.dispatcher-service ]
+  depends_on = [module.dispatcher-service]
 
   project_id = var.project_id
   region     = each.key
@@ -171,7 +171,7 @@ module "change-trigger-calls-dispatcher" {
 
   source = "../authorize-private-service"
 
-  depends_on = [ module.dispatcher-service ]
+  depends_on = [module.dispatcher-service]
 
   project_id = var.project_id
   region     = each.key
diff --git a/modules/workqueue/main.tf b/modules/workqueue/main.tf
index 139cd9da..0ddf3fc4 100644
--- a/modules/workqueue/main.tf
+++ b/modules/workqueue/main.tf
@@ -18,7 +18,7 @@ resource "google_storage_bucket_iam_binding" "authorize-access" {
   for_each = var.regions
 
   bucket = google_storage_bucket.workqueue[each.key].name
-  role = "roles/storage.admin"
+  role   = "roles/storage.admin"
   members = [
     "serviceAccount:${google_service_account.receiver.email}",
     "serviceAccount:${google_service_account.dispatcher.email}",
@@ -48,7 +48,7 @@ resource "google_pubsub_topic_iam_binding" "gcs-publishes-to-topic" {
 resource "google_storage_notification" "object-change-notifications" {
   for_each = var.regions
 
-  depends_on = [ google_pubsub_topic_iam_binding.gcs-publishes-to-topic ]
+  depends_on = [google_pubsub_topic_iam_binding.gcs-publishes-to-topic]
 
   bucket         = google_storage_bucket.workqueue[each.key].name
   payload_format = "JSON_API_V1"
diff --git a/modules/workqueue/outputs.tf b/modules/workqueue/outputs.tf
index a6036c51..da277eb6 100644
--- a/modules/workqueue/outputs.tf
+++ b/modules/workqueue/outputs.tf
@@ -1,5 +1,5 @@
 output "receiver" {
-  depends_on = [ module.receiver-service ]
+  depends_on = [module.receiver-service]
   value = {
     name = "${var.name}-rcv"
   }