<![CDATA[Cloud-native architectures have introduced a fundamental shift in how security and governance are applied within modern IT environments. While traditional preventive IT General Controls (ITGCs) were designed for static, centralised systems, their application in dynamic, decentralised, and automated cloud-native systems remains ambiguous and often ineffective. This study investigates the patterns of failure in preventive controls across cloud-native environments and analyses the extent to which governance frameworks fail to enforce security proactively. Employing a meta-synthetic approach, this research reviews documented cloud breach incidents from 2021 to 2024 to extract recurring failure patterns. These incidents were analysed and mapped against major security control domains, including identity and access management, configuration hardening, and observability. The findings highlight systemic gaps in the implementation of preventive measures, particularly in areas where infrastructure is governed as code, and runtime dynamics alter control effectiveness. Furthermore, the study examines how existing governance frameworks such as ISO 27001, COBIT, and NIST CSF are often too abstract or outdated to directly translate into executable policies within CI/CD pipelines and cloud-native infrastructures. The study reveals that misconfigurations, inadequate identity management, and runtime blind spots are among the most common contributors to control failures. These issues are compounded by the lack of real-time enforcement mechanisms and the misalignment between policy design and operational realities. Based on these findings, the paper proposes a shift toward Governance-as-Code and continuous control validation as critical strategies for modern preventive governance. In conclusion, the paper demonstrates that traditional ITGCs, while still conceptually relevant, require operational reengineering to remain effective in cloud-native ecosystems. A governance model that is executable, context-aware, and runtime-integrated is essential for proactive security and sustained compliance in modern digital infrastructure.]]>
Copyrights © 2025
