The scenario best illustrates loss of governance because the core problem is not a specific technical exploit but a failure in management oversight, accountability, and control assignment for cloud/serverless security responsibilities. The question describes “lack of defined responsibilities for monitoring, auditing, and securing serverless services,” resulting in critical functions being “unmanaged,” which led to downtime and delayed alerts. That is a governance failure: the organization did not establish clear ownership, policies, and operational processes to ensure cloud workloads—specifically serverless functions—were properly monitored, audited, and secured.
In cloud environments, governance includes defining roles and responsibilities (shared responsibility model understanding), establishing security baselines, ensuring logging/monitoring coverage, enforcing configuration management, and maintaining compliance oversight. When governance is weak, services may be deployed without consistent security controls, alerts may be misconfigured or ignored, and incident response can be delayed because no team is clearly accountable. Serverless increases this risk because it can be rapidly adopted by developers, spun up quickly, and overlooked by traditional infrastructure processes if the organization’s governance framework doesn’t explicitly include it.
While “insufficient logging and monitoring” (A) is closely related, the scenario frames the root cause as management’s lack of defined responsibilities, which is broader than missing logs. It’s about the absence of governance structures that ensure logging/monitoring are implemented and owned. Privilege escalation and side-channel attacks are technical attack categories not suggested by the description.
Therefore, the cloud threat illustrated is B. Loss of governance.
