Xoogler here (2011-2018). It's heartwarming that a core part of Google culture ("for every problem we have 3 solutions: 2 that are deprecated and 1 that is experimental") is alive and well.

You could just read their whitepapers and accept them at face value. What other major SaaS providers are publishing about their technical countermeasures against insider risk?

If a company publishes loads of articles about how they have technical controls for privacy and security, through encryption and compartmentalization and code review and build provenance and so forth, and all the people who work/worked at said company are always whining about how onerous those processes are, then what gives you reason to doubt it?

I wish I had an answer for you. I spend at least half of the past year trying to make that decision. The internal LLM that can read all the docs and code, you'd think, could get the context to know what the optimal state is, but it easily gets confused by out of date documentation and recommends paths that are going to be marked as "why didn't you use the new thing?" at review time, OR it builds out a solution using "oh, this isn't ready for use yet" parts.

I was at Meta when it was forced by the FTC to start adding this compliance stuff. It SUCKED to retrofit everything.

Now I'm at google, and onboarded on to the version of the infra that already went through that, and I can take it all at face value. It is a PAIN still, but this is the reality of a system that interfaces with O(10^8) users, O(10^2) governments.