# Real-World Security Anti-Patterns and Failure Modes > **Intro:** Many security programs fail not because teams lack tools, but because they ship controls that **look complete in slides and remain fragile in production**. This page captures common anti-patterns seen in mature engineering environments. ## 1. The checkbox-quality-gate anti-pattern A quality gate exists, but: * only severity is evaluated; * exploitability is ignored; * exceptions are permanent; * findings are duplicated across scanners; * teams learn to wait for waivers instead of fixing root causes. **Failure mode:** the gate creates friction without improving actual release confidence. ## 2. The signed-but-untrusted artifact anti-pattern Images are signed, but: * the signing identity is too broad; * admission does not verify environment or repository scope; * the build path is not protected; * the runtime platform allows drift and side-loading. **Failure mode:** teams say “signed” while investigators cannot prove trusted provenance. ## 3. The policy-engine-without-ownership anti-pattern Teams install a policy engine, add a few sample controls, and then no one owns authoring, exemptions, testing, or breakage analysis. **Failure mode:** policy becomes tribal knowledge, exemptions multiply, and developers stop trusting the platform. ## 4. The centralized-security-bottleneck anti-pattern Every review, exception, or release question routes through a small central team. **Failure mode:** security becomes slow, noisy, and politically expensive. Platform and product teams stop engaging early. ## 5. The log-everything-but-explain-nothing anti-pattern The platform collects huge volumes of telemetry but omits: * tenant identifiers; * workflow state; * release version; * object owner; * environment intent. **Failure mode:** storage cost rises while investigation quality remains weak. ## 6. The maturity-by-tool-spend anti-pattern Leadership believes maturity increased because more products were purchased. **Failure mode:** tool overlap rises, ownership becomes unclear, and signal quality does not improve. ## 7. The exception-without-decay anti-pattern Exceptions are approved but never revisited. **Failure mode:** temporary risk becomes de facto architecture. ## 8. The framework cosplay anti-pattern Teams cite SSDF, SAMM, SLSA, ASVS, or internal standards, but cannot map them to: * actual engineering actions; * review cadence; * evidence; * backlog priorities; * operator behaviors. **Failure mode:** frameworks become vocabulary, not operating discipline. ## How to recognize a healthy program instead Healthy programs usually show these properties: * controls have named owners; * decision records exist for important trade-offs; * exceptions expire; * alerts include action context; * release criteria are understandable by product teams; * leadership metrics distinguish coverage from effectiveness. ## Review exercise Ask of any control: 1. Who owns it? 2. How does it fail? 3. How will responders know? 4. When was the last time it was challenged or tuned? 5. Does the surrounding team still believe in it? If those questions cannot be answered, the control is probably weaker than the dashboard suggests. *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/strategy-governance-and-leadership/index-1/real-world-security-antipatterns-and-failure-modes.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.