diff --git a/src/content/docs/cloudflare-one/policies/access/index.mdx b/src/content/docs/cloudflare-one/policies/access/index.mdx
index 51daef22f7df133..fd722c907398f58 100644
--- a/src/content/docs/cloudflare-one/policies/access/index.mdx
+++ b/src/content/docs/cloudflare-one/policies/access/index.mdx
@@ -59,7 +59,7 @@ For example, this configuration blocks every request to the application, except
Bypass does not enforce any Access security controls and requests are not logged. Bypass policies should be tested before deploying to production. Consider using [Service Auth](/cloudflare-one/policies/access/#service-auth) if you would like to enforce policies and maintain logging without requiring user authentication.
-As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](/cloudflare-one/policies/access/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](/cloudflare-one/policies/access/#selectors) (such as email, or IP).
+As Bypass does not enforce Access security controls, Bypass policies do not support identity-based [rule types](/cloudflare-one/policies/access/#rule-types). When making Bypass policies, you will not be able to apply certain identity-based [selectors](/cloudflare-one/policies/access/#selectors) (such as email).
:::
@@ -133,28 +133,28 @@ To require only one country and one email ending:
When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/applications/configure-apps/saas-apps/), [self-hosted](/cloudflare-one/applications/configure-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/applications/non-http/) applications.
-Identity-based attributes are only checked when a user authenticates to Access. Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
-
-| Selector | Description | Checked at login | Checked continuously1 |
-| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- |
-| Emails | `you@company.com` | ✅ | ❌ |
-| Emails ending in | `@company.com` | ✅ | ❌ |
-| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. | ✅ | ❌ |
-| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ |
-| Country | Uses the IP address to determine country. | ✅ | ✅ |
-| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ |
-| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ |
-| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ |
-| Service Token | The request will need to present the correct service token headers configured for the specific application. | ✅ | ✅ |
-| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. | ✅ | ✅ |
-| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ |
-| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ |
-| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). | ✅ | ❌ |
-| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. | ✅ | ❌ |
-| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. | ✅ | ❌ |
-| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. | ✅ | ✅ |
-| Warp | Checks that the device is connected to WARP, including the consumer version. | ✅ | ✅ |
-| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). | ✅ | ✅ |
+Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
+
+| Selector | Description | Checked at login | Checked continuously1 | Identity-based selector? |
+| ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ |
+| Emails | `you@company.com` | ✅ | ❌ | ✅ |
+| Emails ending in | `@company.com` | ✅ | ❌ | ✅ |
+| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. | ✅ | ❌ | ✅ |
+| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | ❌ |
+| Country | Uses the IP address to determine country. | ✅ | ✅ | ❌ |
+| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | ❌ |
+| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | ❌ |
+| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | ❌ |
+| Service Token | The request will need to present the correct service token headers configured for the specific application. | ✅ | ✅ | ❌ |
+| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. | ✅ | ✅ | ❌ |
+| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | ✅ |
+| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | ✅ |
+| Identity provider group | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). | ✅ | ❌ | ✅ |
+| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. | ✅ | ❌ | ✅ |
+| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. | ✅ | ❌ | ✅ |
+| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. | ✅ | ✅ | ❌ |
+| Warp | Checks that the device is connected to WARP, including the consumer version. | ✅ | ✅ | ❌ |
+| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). | ✅ | ✅ | ❌ |
1 For SaaS applications, Access can only enforce policies at the time
of initial sign on and when reissuing the SaaS session. Once the user has