GCP IAM's access management system is based on tuple matching, where access config can be expressed as a simple tuple of (User X, Y, Z), but the actual surface complexity lies in how these tuples are configured and checked. GCP has two types of identities: human user accounts and service accounts, with groups such as Google Groups and Google Workspace account used for referencing sets of accounts when giving permissions. Roles and permissions are also key components, where roles are named sets of permissions that can be customized or used pre-defined ones. The resource hierarchy in GCP allows for parent-child relationships between resources, with access control policies applied at each level. GCP IAM is built on top of the Zanzibar system, which uses (object, relation, user) tuples as its foundation and allows configuration on how these tuples can be expanded. Understanding the object models of GCP IAM can help in implementing custom access control mechanisms based on open-source Zanzibar implementations.