The correct answer is Apply the stricter security requirements from either system to the integrated system.

When two systems with different data protection classifications are combined the safe approach is to require the controls that satisfy the higher classification and the more stringent control requirements. Applying the stricter requirements reduces the risk that a weak control will expose more sensitive data and it helps ensure compliance with legal and contractual obligations.

Implementers should perform a risk assessment to identify the highest sensitivity data and then select control baselines that meet those needs. This typically means choosing controls that cover confidentiality integrity and availability goals at the stricter level and documenting any compensating controls or residual risk.

Adopt the least restrictive controls from both systems is incorrect because choosing the weakest controls increases exposure and can make the combined system noncompliant with the requirements that protected the more sensitive data.

Use Google Cloud IAM is incorrect because the question asks which factor should determine the controls not which specific product to use. A product like an identity and access management solution can be part of the implementation but it does not replace the need to apply the stricter security requirements based on data classification.

Merge controls proportionally based on user traffic patterns is incorrect because traffic volume does not determine data sensitivity or compliance obligations. Proportional merging can leave high sensitivity data insufficiently protected when it is accessed less frequently.

Full AWS Practitioner Certification Question