[xnorswap]

This is way more common than you'd like, here's a scenario where it can happen even without outright incompetence:

Someone (or some AI) copies an example auth implementation from stackoverflow. Being sensible they realise they shouldn't put key material in source code either, so they leave "secret" in place, and pop a ticket in JIRA to update with the key material from the vault before it goes live.

Employee falls ill, everything gets re-assigned. Leaves before it gets actioned and that ticket slips through the cracks, with the person taking over their duties not realising how serious "J10243: Populate secret from key vault" actually is, perhaps assuming it's currently coming from a different configuration location.

There's little chance that the regular testing are discovering the flaw as the key gen based on "secret" goes live.

[teractiveodular]

Then imagine how often this happens without the "sensible employee" and "pop a ticket in JIRA" parts.

[bankcust08385]

Tragedy of the Commons often happens where there are too many developers and unclear functional or concerns ownership. Each concern needs a home, a checklist, a runbook, documentation, a support escalation path, and responsible tech or business owners.

[toyg]

You are redefining "tragedy of the commons" there... TOTC is about overusing shared resources (e.g. too many people helping themselves to a shared plate of food), not about confusing who should do what.

[bankcust08385]

Responsibility is the "resource" that becomes diminished. What would you rather call it then? The bystander effect at organizational scale?

[astura]

You should actually read Garrett Hardin's influential essay you are referencing before referencing it again. It's freely available from his estate at https://www.garretthardinsociety.org/articles/art_tragedy_of...

Because it doesn't say what you seem to think it does.