How would you handle conflict resolution when a developer or product manager disagrees with a security requirement?