In a Discretionary Access Control (DAC) model, the data owner or an assigned stakeholder has the authority to determine who can access resources. SecurityX CAS-005 IAM objectives describe DAC as user- or owner-controlled, where permissions can be granted or revoked at the owner's discretion. In this scenario, because permissions from the legacy system could not be migrated, multiple stakeholders were made responsible for assigning and managing access-matching the DAC model's characteristics. Option A relates to outsourcing, which does not define an access control model. Option C is about authentication limitations, unrelated to the choice of DAC. Option D describes backup responsibilities, which are operational tasks, not access control.