Default service account used at folder level for Google Cloud which may lead to unauthorized access.
In GCP Console -
In Terraform -
References:
https://cloud.google.com/resource-manager/docs/access-control-folders
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam