The correct answer is B. No. In Zero Trust architecture, risk is not uniform across users . Zscaler guidance explains that policy and access decisions are based on the entire user context , including identity, device, location, compliance state, and other factors. The same user can even receive different access outcomes depending on whether they are on a corporate laptop at a branch office or on a personal phone at a coffee shop.
This means risk is dynamic and personalized. One user may be low risk because they are on a managed, compliant endpoint in a trusted environment. Another user may be higher risk because they are using an unmanaged device, showing risky behavior, or requesting access to a more sensitive application. Zero Trust depends on this variation. If risk were identical across all users, there would be no need for granular policies, posture checks, or context-aware enforcement.
Therefore, Zero Trust assumes that risk changes by user, device, session, location, and requested application. That is why access policy is evaluated per request rather than applied as a one-size-fits-all model. The correct answer is No .
