The correct option is Evaluate both the external collaborators' security posture and the sensitivity classification of the data to be shared.

Evaluate both the external collaborators' security posture and the sensitivity classification of the data to be shared is correct because authorization decisions must address who will hold or process the data and how sensitive that data is. You should map data flows, assign sensitivity labels, and then validate that the external collaborator has the technical and organizational controls needed to meet the protection requirements. Doing both items together enables appropriate access controls, encryption, monitoring, incident response roles, and contract terms before approving connections.

VPC Service Controls is incorrect because that is a vendor specific control for Google Cloud and it does not substitute for a full authorization review. It can help restrict data movement within a cloud provider but it does not evaluate an external partner's overall security posture or cover collaborators on other platforms.

Classify the type of data that will be shared is incomplete because classification alone does not ensure the partner can protect the data. Classification informs the required controls but you still must assess and verify the collaborator's controls, policies, and practices before authorizing data exchange.

Only BrightWave's internal security controls is incorrect because relying solely on internal controls ignores risks that originate with the external collaborator. Authorization must consider shared responsibilities and validate the external party's security, as well as include contractual obligations and monitoring.

Full AWS Practitioner Certification Question