I think that shows how the relationship actually works.. pulumi is declarative - think of it like having your code explain exactly what you want to happen in on a layer of abstraction, that code is compared to a "ledger" (i.e. the stack / state) to enumerate the changes you actually need to apply.
When it comes to monitoring things - there is no activity on the ledger. it's just a file written to a disk, and only checked whenever you or your code wants to compare something.
And nothing will -ever- happen unless YOUR CODE would cause anything in the LEDGER to be changed. ONLY THEN would pulumi actually action anything against the resource (i.e. gcp). So you can run the same code 100 times and in principle it will be applied once and only once, the other 99 times it will just say "yes, what you are telling me to do has been done, I will not bother gcp about it".
But! You CAN create policies /in/ gcp using gcp-native stuff, and manage those policies with pulumi 😉