The correct answer is A . In Zero Trust architecture, policy enforcement applies to every access request , including requests from users who may ultimately be authorized. Zscaler documentation explains that when a user requests access, the platform evaluates context such as identity, posture, location, group membership, and application conditions , then enforces the matching policy. This means that authorized users are not exempt from policy; rather, policy is what determines whether they are authorized for that specific request.

ZPA guidance also states that access policies use explicit logic based on application segments, SAML attributes, client type, and posture profiles, and that traffic that does not match a policy is automatically blocked . This is fully consistent with the principle that no access should occur outside authorization and policy control.

Option A is the only choice that matches that Zero Trust principle, even though its wording is broader than the question. Options B, C, and D are incorrect because they either exclude authorized users from enforcement or imply unnecessary visibility to destinations. In Zero Trust, all traffic is subject to policy , and nothing should be allowed without authorization.