The correct answer is D . In Zero Trust architecture, policy enforcement is the specific control decision applied to a particular access request , based on the exact context of that request at that moment. Zscaler’s architecture guidance emphasizes granular, context-based policies that control application access independently of IP address or location. It also explains that policy is determined by evaluating the user, device, location, group, and other factors, which means enforcement is transaction-specific rather than a broad network permission.
Option A refers to traditional AAA concepts and protocols, which may participate in identity workflows but do not define Zero Trust policy enforcement by themselves. Option B , SCIM with an Identity Provider (IdP), relates to identity provisioning rather than runtime enforcement. Option C reflects a legacy or infrastructure-centric design pattern, not Zero Trust. In contrast, Zero Trust enforcement is the actual outcome applied to that single request, such as allow, restrict, isolate, deceive, or block, depending on verified context. This is why the best answer is that policy enforcement is the unique and definitive implementation of control solely for that access request , not a generalized network-level permission model.
