The risk of users circumventing application controls is the most significant exposure when an application uses individual user accounts to access the underlying database. This is because users may have direct access to the data and bypass the validation, authorization, and logging mechanisms that are implemented at the application level. Users may also be able to modify or delete data without proper authorization or audit trail. The other options are less significant exposures, as they do not directly affect the integrity or confidentiality of the data. References = Risk IT Framework, ISACA, 2009, page 35; CRISC Review Manual, 6th Edition, ISACA, 2015, page 214.