diff --git a/cmd/ocm/gcp/gcp-client-shim.go b/cmd/ocm/gcp/gcp-client-shim.go
index cc90f9e7..b9f35d05 100644
--- a/cmd/ocm/gcp/gcp-client-shim.go
+++ b/cmd/ocm/gcp/gcp-client-shim.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"log"
-	"reflect"
 	"strings"
 	"time"
 
@@ -252,7 +251,7 @@ func (c *shim) createOrUpdateRoles(
 		}
 
 		// Update role if permissions have changed
-		if !reflect.DeepEqual(existingRole.IncludedPermissions, permissions) {
+		if c.roleRequiresUpdate(permissions, existingRole.IncludedPermissions) {
 			existingRole.IncludedPermissions = permissions
 			_, err := c.updateRole(ctx, existingRole, c.fmtRoleResourceId(role))
 			if err != nil {
@@ -264,6 +263,25 @@ func (c *shim) createOrUpdateRoles(
 	return nil
 }
 
+func (c *shim) roleRequiresUpdate(
+	newPermissions []string,
+	existingPermissions []string,
+) bool {
+	permissionMap := map[string]bool{}
+	for _, permission := range existingPermissions {
+		permissionMap[permission] = true
+	}
+	if len(permissionMap) != len(newPermissions) {
+		return true
+	}
+	for _, permission := range newPermissions {
+		if !permissionMap[permission] {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *shim) bindRolesToServiceAccount(
 	ctx context.Context,
 	serviceAccount *cmv1.WifServiceAccount,