Correct Option: A. Failure to update access controls after employee role changes

This falls under one of the most common risk factors related to cloud misconfiguration and poor change management. Misconfiguration errors often stem from insufficient change control, especially in dynamic environments like the cloud. According to CSA’s Security Guidance v4.0, poor governance of identity and access management (IAM) changes — such as not updating access privileges when user roles change — introduces serious security risks.

"Cloud computing is dynamic by nature. This places more importance on automation and proper governance, especially for identity and access control. Failure to remove or update access permissions after personnel changes leads to orphaned or over-permissioned accounts, which are prime targets for attackers."

— Domain 2: Governance and Enterprise Risk Management, CSA Security Guidance v4.0

Also highlighted in ENISA’s Cloud Risk Assessment:

"Loss of governance includes failing to maintain proper control over access privileges and role assignments. Poor change management and inadequate configuration reviews can leave systems open to unauthorized access."

— ENISA Cloud Computing Risk Assessment, Section R.2: Loss of Governance

Why the Other Options Are Incorrect:

B. Lack of sensitive data encryption: While encryption is critical, it is not directly tied to change control or misconfiguration, but rather falls under Data Security and Encryption domain.

C. Lack of 3rd party service provider specialized in patch management procedures: This refers more to vendor management and Security-as-a-Service, not internal change control or misconfigurations.

D. Excessive SBOM focus: Software Bill of Materials (SBOM) is important for supply chain transparency, but excessive focus on it isn’t a typical misconfiguration or change control risk.