You are running applications outside of Google Cloud that need to access Google Cloud resources. You are using Workload Identity Federation to grant external identities IAM roles, avoiding the maintenance and security burden of service account keys. You must protect against identity spoofing and unauthorized access.

What should you do? (Choose two.)