The correct answer is D. For every access request. Zero Trust architecture does not assume that a user, device, or session remains trusted after an initial decision. Instead, access is evaluated request by request , using current identity and contextual information. Zscaler’s ZPA guidance explains that when a user authenticates, context such as location, device posture, user group, department, and time of day is evaluated, and when the user attempts to access a resource, that context is matched against policy to determine whether access should be allowed.
ZIA guidance reinforces the same principle by stating that policy assignment evaluates the user, device, location, group, and more to determine which policies apply. That means policy enforcement is not limited to high-risk sessions, nor is it applied only once to all future traffic from a source. It is also not restricted only to already authorized users, because the authorization decision itself is part of the evaluation. In Zero Trust, each access request is independently assessed and enforced according to current policy and context. That is why the best answer is for every access request .
