Google Unveils IAM Data Governance Tags for BigQuery, Bringing Global Column-Level Security to Enterprise Data
Google Cloud has introduced IAM Data Governance Tags for BigQuery, enabling global column-level security, hierarchical data classification, disaster recovery support, and scalable governance for sensitive enterprise data.
Xcademia Team
Xcademia Research Team

Google Unveils IAM Data Governance Tags for BigQuery, Bringing Global Column-Level Security to Enterprise Data
As organizations expand their data operations across regions, business units, and cloud environments, managing access to sensitive information has become increasingly complex. Enterprises need governance frameworks that can scale globally while maintaining strict security controls over regulated and confidential data.
To address these challenges, Google Cloud has announced the preview of IAM Data Governance Tags for BigQuery, a new approach to column-level security built on Google Cloud's Identity and Access Management (IAM) Resource Manager infrastructure.
The new capability extends beyond traditional policy tags by introducing global governance, hierarchical classification structures, disaster recovery resilience, and more flexible security management for BigQuery environments.
For organizations handling personally identifiable information (PII), financial records, healthcare data, or regulated business information, the update represents a significant advancement in how sensitive data can be classified, protected, and governed at scale.
Why Google Is Evolving BigQuery Column-Level Security
For years, BigQuery customers have relied on policy tags to secure sensitive columns and restrict access to specific users and groups.
Policy tags have proven effective for enforcing column-level access controls. However, modern enterprise environments have introduced new challenges, including:
Managing taxonomies across multiple regions
Supporting disaster recovery and failover scenarios
Maintaining centralized governance strategies
Scaling security policies across global organizations
Simplifying compliance management
According to Google, IAM Data Governance Tags are designed specifically to address these growing operational and governance requirements.
Unlike traditional policy tags, governance tags are globally managed while still enforcing security controls at the regional level where data resides.

What Are IAM Data Governance Tags?
IAM Data Governance Tags are a specialized type of Google Cloud Resource Manager Tag.
When administrators create a tag key and designate its purpose as DATA_GOVERNANCE, the tag becomes available for BigQuery column-level security and governance use cases.
These tags can then be applied directly to columns containing sensitive information, creating a flexible classification framework that security and compliance teams can use to enforce access controls.
Unlike traditional policy tags, governance tags support hierarchical structures, allowing organizations to create detailed classifications that mirror regulatory, operational, and business requirements.
For example:
Data Classification
├─ PII
│ ├─ Private
│ │ └─ Email
│ └─ Financial
│ └─ Credit CardThis hierarchical model enables highly granular security controls while maintaining centralized governance.
Key Benefits of IAM Data Governance Tags
1. Global Governance Across Regions
One of the most significant improvements is global scope.
Policy tags are tied to specific regions, requiring organizations to maintain separate taxonomies in different locations.
IAM Data Governance Tags eliminate that complexity by allowing a single tag structure to be reused across projects and regions.
For example:
data_sensitivity: highcan be consistently applied throughout an organization regardless of where the underlying data resides.
2. Built-In Disaster Recovery
Security controls must remain intact during failovers and recovery events.
Google says Data Governance Tags and their associated policies are automatically replicated to secondary regions.
This helps ensure that governance policies remain available and effective even when workloads move between regions.
3. Hierarchical Security Classification
Organizations can create classification trees up to five levels deep.
Examples include:
PII
Financial
Credit Card Number
Personal
Email Address
Phone Number
This structure supports both broad governance categories and highly specific security controls.
4. Decoupled Governance and Enforcement
Data can be classified before access controls are applied.
This separation gives organizations flexibility when onboarding new datasets or implementing governance programs.
Security teams can establish classifications first and activate policies later when business requirements dictate.
Step 1: Creating Data Governance Tags
The first step involves creating a governance tag key and specifying its purpose.
Create a Data Governance Tag Key
gcloud resource-manager tags keys create data_class \
--parent=projects/my-governance-project \
--purpose=DATA_GOVERNANCESetting the purpose to DATA_GOVERNANCE designates the tag for BigQuery column-level security.
Create Hierarchical Tag Values
Organizations can then build governance structures underneath the tag key.
# Create parent tag
gcloud resource-manager tags values create pii \
--parent=my-governance-project/data_class
# Create child tag
gcloud resource-manager tags values create private \
--parent=my-governance-project/data_class/pii
# Create third-level tag
gcloud resource-manager tags values create email \
--parent=my-governance-project/data_class/privateThis approach enables detailed classifications while preserving governance consistency across the organization.
Step 2: Applying Governance Tags to BigQuery Columns
After creating governance tags, administrators can attach them to sensitive columns.
Export Existing Table Schema
For existing tables, Google recommends exporting the schema before adding tags.
bq show --schema --format=prettyjson \
my_project:my_dataset.my_table > schema.jsonAdd Governance Tags to the Schema
Administrators can then map classifications directly to columns.
[
{
"name": "user_email",
"type": "STRING",
"dataGovernanceTagsInfo": {
"dataGovernanceTags": {
"my-governance-project/data_class": "email"
}
}
},
{
"name": "phone_number",
"type": "STRING",
"dataGovernanceTagsInfo": {
"dataGovernanceTags": {
"my-governance-project/data_class": "private"
}
}
}
]In this example:
user_emailis classified as Emailphone_numberis classified as Private
This allows downstream security policies to automatically identify and govern sensitive information.

Managing Governance Tags with SQL
Google is also expanding SQL-based management capabilities.
Organizations can assign tags during table creation:
CREATE OR REPLACE TABLE my_dataset.my_table(
user_email STRING
OPTIONS (
data_governance_tags = [
('my-governance-project/data_class', 'email')
]
)
);Update an existing column:
ALTER TABLE my_dataset.my_table
ALTER COLUMN phone_number
SET OPTIONS (
data_governance_tags = [
('my-governance-project/data_class', 'private')
]
);This allows database administrators to incorporate governance directly into existing data workflows.
Auditing and Monitoring Tagged Columns
Visibility is critical for governance programs.
BigQuery administrators can review tagged columns using INFORMATION_SCHEMA.
SELECT
column_name,
data_governance_tags[SAFE_OFFSET(0)].key AS tag_key,
data_governance_tags[SAFE_OFFSET(0)].value AS tag_value
FROM `my_project.my_dataset.INFORMATION_SCHEMA.COLUMNS`
WHERE table_name = 'my_table';The query provides an overview of which governance tags are attached to each column.
This helps organizations maintain governance consistency and simplify compliance audits.
Step 3: Creating Data Policies
Classification alone does not enforce security.
Organizations must define data policies that determine how tagged information is accessed.
Raw Data Access Policies
Authorized users can view original data values.
Data Masking Policies
Sensitive data can be automatically transformed before being displayed.
Supported masking methods include:
SHA256 hashing
NULL masking
Other predefined masking expressions
Example Data Masking Policy
{
"dataPolicy": {
"dataPolicyType": "DATA_MASKING_POLICY",
"dataMaskingPolicy": {
"predefinedExpression": "SHA256"
},
"grantees": [
"principalSet://goog/group/grp-sales@corp.com"
],
"dataGovernanceTag": {
"key": "myProject/data_class",
"value": "pii"
}
}
}This policy masks PII-tagged data using SHA-256 hashing while allowing approved groups to access the dataset.
Layered Security for Sensitive Data
Google emphasizes that governance tags function within BigQuery's broader security model.
Users must first have access to the table itself through roles such as:
roles/bigquery.dataViewerGovernance policies then determine whether the user can:
View raw data
View masked data
Be denied access entirely
This layered approach aligns with zero-trust and least-privilege security principles.

Security, Compliance, and Business Benefits
The introduction of IAM Data Governance Tags delivers several strategic advantages.
Stronger Compliance Support
Organizations operating under frameworks such as:
GDPR
HIPAA
PCI DSS
CCPA
can apply consistent protections across regulated data assets.
Centralized Governance
Global enterprises gain a single governance model that spans multiple projects and regions.
Simplified Security Operations
Security teams can reduce administrative overhead by maintaining one classification framework instead of managing multiple regional taxonomies.
Enhanced Data Protection
Granular access controls and masking policies reduce the risk of accidental exposure and insider threats.
Looking Ahead
Google has already outlined several planned enhancements, including:
SQL-based tag creation
SQL-based policy management
Multiple tags per column
Policy evaluation using tag combinations
Deeper integration with Knowledge Catalog
These capabilities could further strengthen BigQuery's position as a secure and scalable enterprise analytics platform.
As organizations continue to expand AI, analytics, and data-sharing initiatives, governance frameworks capable of operating across complex cloud environments will become increasingly important.
Conclusion
Google's IAM Data Governance Tags represent a significant evolution in BigQuery's approach to column-level security. By introducing global governance, hierarchical classifications, disaster recovery resilience, and flexible policy enforcement, the company is addressing many of the challenges faced by modern enterprise data teams.
The new framework allows organizations to classify sensitive data consistently, enforce fine-grained access controls, and simplify governance across projects and regions. For enterprises seeking stronger compliance, centralized security management, and scalable data protection, IAM Data Governance Tags offer a compelling new tool for securing critical information assets in the cloud.
Source: Google Cloud Blog
About the Author