Explanation
A detective control is a type of internal control that seeks to uncover problems in a company's processes once they have occurred1. Examples of detective controls include physical inventory checks, reviews of account reports and reconciliations, as well as assessments of current controls1. Detective controls use platform telemetry to detect misconfigurations, vulnerabilities, and potentially malicious activity in the cloud environment2.
In a Software as a Service (SaaS) service provider, privileged access monitoring is a detective control that can help identify unauthorized or suspicious activities by users who have elevated permissions to access or modify cloud resources, data, or configurations. Privileged access monitoring can involve logging, auditing, alerting, and reporting on the actions performed by privileged users3. This can help detect security incidents, compliance violations, or operational errors in a timely manner and enable appropriate responses.
Data encryption, incident management, and network segmentation are examples of preventive controls, which are designed to prevent problems from occurring in the first place. Data encryption protects the confidentiality and integrity of data by transforming it into an unreadable format that can only be decrypted with a valid key1. Incident management is a process that aims to restore normal service operations as quickly as possible after a disruption or an adverse event4. Network segmentation divides a network into smaller subnetworks that have different access levels and security policies, reducing the attack surface and limiting the impact of a breach1.
References:
Detective controls - SaaS Lens - docs.aws.amazon.com3, section on Privileged access monitoring Detective controls | Cloud Architecture Center | Google Cloud2, section on Detective controls Internal control: how do preventive and detective controls work?4, section on SaaS Solutions to Support Internal Control Detective Control: Definition, Examples, Vs. Preventive Control1, section on What Is a Detective Control?

Explanation
The primary component to determine the success or failure of an organization's cloud compliance program is mapping who possesses the information and data that should drive the compliance goals. This is because the cloud compliance program should be aligned with the organization's business objectives and risk appetite, and the information and data that support these objectives and risks are often distributed across different cloud service providers, business units, and stakeholders. Therefore, it is essential to identify who owns, controls, and accesses the information and data, and how they are protected, processed, and shared in the cloud environment. This is part of the Cloud Control Matrix (CCM) domain COM-02: Data Governance, which states that "The organization should have a policy and procedures to manage data throughout its lifecycle in accordance with regulatory requirements, contractual obligations, and industry standards."1 References := CCAK Study Guide, Chapter 3: Cloud Compliance Program, page 53