Zero Trust: How an organization can trust the Policy Engine (PE)

I'm researching about Zero Trust Architecture.

I have a question outside the knowledge of a lot ot documents,:

\- If organization don't trust any subject (client, user,...), how the organization can trust the PE (Policy Engine) and entrust policy enforcement to PE ?

\- Does that create risk for the organization?

\- Is there any principal of policy/standard talks about the testing process as well as choosing PE vendors or simply trust from both sides.

Tks for ur support.

architecture client cybersecurity documents don enforcement engine entrust knowledge lot organization policy policy engine question risk trust zero trust zero trust architecture