The application owner should own the risk associated with unauthorized access to application data. This is because the application owner is responsible for the overall management, security, and performance of the application. They have the comprehensive understanding necessary to assess the business context, data sensitivity, and access requirements, making them best suited to implement proper controls, monitoring, and risk mitigation strategies.