The correct answer is C. Conditionally block (Deceive). In Zero Trust architecture, authorization alone is not enough to guarantee that a request is safe. An otherwise authorized user, device, or workload can still generate malicious, compromised, or suspicious access attempts. For that reason, Zero Trust policy enforcement must remain contextual and adaptive , even after identity and access have already been validated. Zscaler’s architecture emphasizes that access policies are based on the entire user context , including device, location, and compliance, and that different policy outcomes can be enforced based on those values.

A deception-based conditional block is the strongest answer because it both prevents harmful access and gives defenders insight into attacker behavior by redirecting suspicious activity away from the real service. This is more effective than simply allowing access during business hours or allowing the activity and reviewing logs later, because those approaches do not stop the potentially malicious action in real time. Zero Trust is built around preventive, policy-driven enforcement , not delayed review. Therefore, if an authorized initiator behaves maliciously, the best enforcement is to conditionally block with deception .