Administrative permissions ({PolicyBindings.Role}) have been granted to the user {GcpUser} at the project level; these rights allow the User or service account to create a project. Once a user creates a project, they're automatically granted the owner role for that project.
Recommended Mitigation
Evaluate the user's permissions and consider removing the binding to {GcpUser.PolicyBindings.Role}