The best option for enabling regulatory compliance in this situation is a Privileged Access Management (PAM) system. A PAM system allows organizations to centrally manage user access and privileges across different systems, making it easier to remove user privileges within the required timeframe. Additionally, a PAM system can also help to ensure that user access remains secure, reducing the risk of unauthorized access and ensuring regulatory compliance.

In building a security risk-aware culture, it is most important to convey to employees that the responsibility for security rests with all employees. Every employee plays a role in ensuring the security of the organization's information assets, and it is essential that they understand their role and take security seriously. This means not only following security policies and procedures but also being vigilant in identifying and reporting potential security incidents.
The other items listed (personal information requiring different security controls than sensitive information, employee access should be based on the principle of least privilege, and understanding an information asset's value is critical to risk management) are all important elements of a comprehensive security program, but they are secondary to the fundamental message that security is a shared responsibility. By emphasizing this message and empowering employees to take an active role in security, organizations can build a stronger, more effective security risk-aware culture.