For a sampled change, which of the following must functionality testing verify to ensure no security regression?

The key idea is that changes must be checked to make sure they do not introduce security weaknesses. When testing a sampled change, functionality testing should verify that the change does not adversely affect the security of the system. This means exercising security-relevant paths and controls—authentication, authorization, input validation, data handling, encryption, logging, and monitoring—to ensure they still function as designed and that no new vulnerabilities or bypasses are introduced. For instance, a modification intended to improve a feature could unintentionally weaken a permission check or expose sensitive data through error messages, creating a security regression. While other aspects like user experience, governance approvals, or backups are important in their own right, they do not directly address whether security protections were compromised by the change.