You have defined central security controls in your Google Cloud environment. For a specific folder in your organization, you set an organizational policy to deny the assignment of external IP addresses to VMs. Two days later, you receive an alert that a new VM with an external IP address was created in that folder.

What is the most likely reason this alert was generated?

Exam-Like

The VM was created with a static external IP address that was reserved in the project before the organizational policy rule was set.

The organizational policy constraint wasn't properly enforced and is running in "dry run" mode.

A project level, the organizational policy control has been overwritten with an "allow" value.

The policy constraint on the folder level does not have any effect because of an "allow" value for that constraint on the organizational level.

Google Professional Cloud Security Engineer