What is the recommended approach for managing encryption keys when migrating an application to the cloud under strict regulatory requirements?

When migrating an application to the cloud while adhering to strict regulatory requirements, it is essential to prioritize control and security over encryption keys. Generating a key in the on-premises environment and using an external Hardware Security Module (HSM) offers superior control, as it allows the organization to keep sensitive key material on a physical device that remains under their management. This external HSM can help satisfy compliance requirements by providing robust security controls, such as tamper resistance and limited access to keys, which can be critical for organizations dealing with sensitive information.

In contrast, generating a key in Google Cloud or relying solely on automatic key management can introduce potential risks, especially if the regulatory requirements demand that sensitive keys remain within an organization's controlled environment. While Cloud KMS provides management capabilities for keys created in the cloud, it may not meet stringent compliance demands if the governing body requires that keys be stored and managed outside the cloud provider’s environment.

Moreover, features of automatic key management, while convenient, might lack the customizability and control that a regulated organization may require. Thus, option C stands out as the most compliant and secure approach in this context, ensuring that key management adheres to the required standards for security and regulatory adherence.