The correct answer is C . In Zero Trust architecture, enterprise risk tolerance is reflected through dynamic assessment , not static trust assumptions. A Zero Trust platform continuously evaluates the context of each request and uses that context to determine the appropriate access outcome. This aligns with the architectural principle that trust is never permanent and should be calculated based on current conditions rather than on a one-time decision or a fixed historical score.

A dynamic risk score is therefore the best fit because it can incorporate changing factors such as user identity, device posture, location, behavior, application sensitivity, and other contextual or security signals. That score then informs a decision engine , which determines whether the request should be allowed, restricted, isolated, deceived, or blocked. This is far more aligned to Zero Trust than depending on analyst advice, employee certification, or a fixed formula based only on earlier incidents.

The key principle is that Zero Trust must adapt to changing risk in real time. Since enterprise risk tolerance varies by application, data sensitivity, and business context, a dynamic scoring and policy decision model is the most accurate architectural answer.