Is there a filter for stackdriver that logs when a service account or user get a role assigned or removed and who did it?
Someone or something is removing roles in IAM but I don't know if it's a human error or if something else.
For adding a role you can check this one
protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
When a role gets deleted use this one
protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
Add this line if you suspect a user or service account
protoPayload.authenticationInfo.principalEmail="USER_OR_SERVICEACCOUNT_EMAIL"