[CF1] IA revamp: Decouple Policies

.github/CODEOWNERS

@@ -58,13 +58,13 @@
 /src/content/docs/cloudflare-one/ @ranbel @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/applications/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/identity/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing
-/src/content/docs/cloudflare-one/policies/access/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing
+/src/content/docs/cloudflare-one/access-controls/ @kennyj42 @ranbel @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/team-and-resources/devices/ @ranbel @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/ @nikitacano @ranbel @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/applications/casb/ @maxvp @cloudflare/pcx-technical-writing
-/src/content/docs/cloudflare-one/policies/gateway/ @maxvp @cloudflare/pcx-technical-writing
-/src/content/docs/cloudflare-one/policies/browser-isolation/ @maxvp @ranbel @cloudflare/pcx-technical-writing
-/src/content/docs/cloudflare-one/policies/data-loss-prevention/ @maxvp @cloudflare/pcx-technical-writing
+/src/content/docs/cloudflare-one/traffic-policies/ @maxvp @cloudflare/pcx-technical-writing
+/src/content/docs/cloudflare-one/remote-browser-isolation/ @deadlypants1973 @cloudflare/pcx-technical-writing
+/src/content/docs/cloudflare-one/data-loss-prevention/ @maxvp @cloudflare/pcx-technical-writing
 /src/content/docs/cloudflare-one/insights/dex/ @deadlypants1973 @cloudflare/pcx-technical-writing
 /src/content/docs/email-security/ @Maddy-Cloudflare @cloudflare/pcx-technical-writing
 

public/__redirects

@@ -2352,8 +2352,6 @@
 /logs/get-started/enable-destinations/* /logs/logpush/logpush-job/enable-destinations/:splat 301
 /logs/reference/log-fields/* /logs/logpush/logpush-job/datasets/:splat 301
 /speed/optimization/other/* /speed/optimization/ 301
-/cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301
-/cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301
 
 # AI Crawl Control
 /ai-audit/* /ai-crawl-control/:splat 301
@@ -2362,7 +2360,6 @@
 /autorag/* /ai-search/:splat 301
 
 # Cloudflare One / Zero Trust
-/cloudflare-one/connections/ /cloudflare-one/ 301
 /cloudflare-one/applications/configure-apps/dash-sso-apps/ /fundamentals/account/account-security/dashboard-sso/ 301
 /cloudflare-one/connections/connect-networks/install-and-setup/tunnel-guide/local/as-a-service/* /cloudflare-one/connections/connect-networks/configure-tunnels/local-management/as-a-service/:splat 301
 /cloudflare-one/connections/connect-apps/install-and-setup/deployment-guides/* /cloudflare-one/connections/connect-networks/deployment-guides/:splat 301
@@ -2384,6 +2381,13 @@
 /cloudflare-one/policies/data-loss-prevention/datasets/* /cloudflare-one/policies/data-loss-prevention/detection-entries/:splat 301
 
 # Cloudflare One nav revamp
+/cloudflare-one/connections/ /cloudflare-one/ 301
+/cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301
+/cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301
+/cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301
+/cloudflare-one/policies/browser-isolation/* /cloudflare-one/remote-browser-isolation/:splat 301
+/cloudflare-one/policies/data-loss-prevention/* /cloudflare-one/data-loss-prevention/:splat 301
+/cloudflare-one/policies/access/* /cloudflare-one/access-controls/policies/:splat 301
 /cloudflare-one/identity/one-time-pin/ /cloudflare-one/integrations/identity-providers/one-time-pin/ 301
 /cloudflare-one/identity/idp-integration/* /cloudflare-one/integrations/identity-providers/:splat 301
 

src/content/changelog/access/2025-04-21-Access-Bulk-Policy-Tester.mdx

@@ -6,6 +6,6 @@ products:
   - access
 ---
 
-The [Access bulk policy tester](/cloudflare-one/policies/access/policy-management/#test-all-policies-in-an-application) is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable).
+The [Access bulk policy tester](/cloudflare-one/access-controls/policies/policy-management/#test-all-policies-in-an-application) is now available in the Cloudflare Zero Trust dashboard. The bulk policy tester allows you to simulate Access policies against your entire user base before and after deploying any changes. The policy tester will simulate the configured policy against each user's last seen identity and device posture (if applicable).
 
 ![Example policy tester](~/assets/images/changelog/access/example-policy-tester.png)

src/content/changelog/access/2025-07-01-browser-based-rdp-open-beta.mdx

@@ -6,7 +6,7 @@ products:
   - access
 ---
 
-[Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](/cloudflare-one/policies/access/) is now available in open beta for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients.
+[Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](/cloudflare-one/access-controls/policies/) is now available in open beta for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients.
 
 With browser-based RDP, you can:
 

src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx

@@ -6,7 +6,7 @@ products:
   - access
 ---
 
-You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](/cloudflare-one/policies/access/).
+You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](/cloudflare-one/access-controls/policies/).
 
 [Self-hosted applications](/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
 

src/content/changelog/access/2025-09-22-browser-based-rdp-ga.mdx

@@ -6,9 +6,10 @@ products:
   - access
 ---
 
-[Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](/cloudflare-one/policies/access/) is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients.
+[Browser-based RDP](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-browser/) with [Cloudflare Access](/cloudflare-one/access-controls/policies/) is now generally available for all Cloudflare customers. It enables secure, remote Windows server access without VPNs or RDP clients.
 
 Since we announced our [open beta](/changelog/access/#2025-06-30), we've made a few improvements:
+
 - Support for targets with IPv6.
 - Support for [Magic WAN](/magic-wan/) and [WARP Connector](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) as on-ramps.
 - More robust error messaging on the login page to help you if you encounter an issue.

src/content/changelog/browser-isolation/2025-03-03-user-action-logging.mdx

@@ -4,7 +4,7 @@ description: User action logs for Remote Browser Isolation
 date: 2025-03-04
 ---
 
-We're excited to announce that new logging capabilities for [Remote Browser Isolation (RBI)](/cloudflare-one/policies/browser-isolation/) through [Logpush](/logs/logpush/logpush-job/datasets/account/) are available in Beta starting today!
+We're excited to announce that new logging capabilities for [Remote Browser Isolation (RBI)](/cloudflare-one/remote-browser-isolation/) through [Logpush](/logs/logpush/logpush-job/datasets/account/) are available in Beta starting today!
 
 With these enhanced logs, administrators can gain visibility into end user behavior in the remote browser and track blocked data extraction attempts, along with the websites that triggered them, in an isolated session.
 

src/content/changelog/browser-isolation/2025-05-01-browser-isolation-overview-page.mdx

@@ -4,11 +4,11 @@ description: A new home page experience for deploying and managing browser isola
 date: 2025-05-01
 ---
 
-A new **Browser Isolation Overview** page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of [Remote Browser Isolation (RBI)](/cloudflare-one/policies/browser-isolation/) deployments, providing:
+A new **Browser Isolation Overview** page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of [Remote Browser Isolation (RBI)](/cloudflare-one/remote-browser-isolation/) deployments, providing:
 
 - **Streamlined Onboarding:** Easily set up and manage isolation policies from one location.
-- **Quick Testing:** Validate [clientless web application isolation](/cloudflare-one/policies/browser-isolation/setup/clientless-browser-isolation/) with ease.
-- **Simplified Configuration:** Configure [isolated access applications](/cloudflare-one/policies/access/isolate-application/) and policies efficiently.
+- **Quick Testing:** Validate [clientless web application isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/) with ease.
+- **Simplified Configuration:** Configure [isolated access applications](/cloudflare-one/access-controls/policies/isolate-application/) and policies efficiently.
 - **Centralized Monitoring:** Track aggregate usage and blocked actions.
 
 This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively.

src/content/changelog/browser-isolation/2025-05-13-rbi-saml-post-support.mdx

@@ -6,4 +6,4 @@ date: 2025-05-13
 
 Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused `405` errors during login and improves compatibility with multi-factor authentication (MFA) flows.
 
-With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to [set up Remote Browser Isolation](/cloudflare-one/policies/browser-isolation/setup/).
+With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to [set up Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/setup/).

src/content/changelog/casb/2024-11-22-cloud-data-extraction-aws.mdx

@@ -6,7 +6,7 @@ date: 2024-11-22
 
 import { Render } from "~/components";
 
-You can now use CASB to find security misconfigurations in your AWS cloud environment using [Data Loss Prevention](/cloudflare-one/policies/data-loss-prevention/).
+You can now use CASB to find security misconfigurations in your AWS cloud environment using [Data Loss Prevention](/cloudflare-one/data-loss-prevention/).
 
 You can also [connect your AWS compute account](/cloudflare-one/applications/casb/casb-integrations/aws-s3/#compute-account) to extract and scan your S3 buckets for sensitive data while avoiding egress fees. CASB will scan any objects that exist in the bucket at the time of configuration.
 

src/content/changelog/cloudflare-one/new-applications-71825.mdx

@@ -11,4 +11,4 @@ product: Gateway
 
 To view all available applications, log in to your Cloudflare [Zero Trust dashboard](https://one.dash.cloudflare.com/), navigate to the **App Library** under **My Team**.
 
-For more information on creating Gateway policies, see our [Gateway policy documentation](/cloudflare-one/policies/gateway/).
+For more information on creating Gateway policies, see our [Gateway policy documentation](/cloudflare-one/traffic-policies/).

src/content/changelog/cloudflare-tunnel/2025-09-18-tunnel-hostname-routing.mdx

@@ -18,6 +18,6 @@ Previously, Tunnel routes could only be defined by IP address or [CIDR range](/c
 - **Precise Egress Control**: Route traffic for public hostnames (e.g., `bank.example.com`) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services.
 - **No More IP Lists**: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete.
 
-Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](/cloudflare-one/policies/gateway/egress-policies/egress-cloudflared/) route.
+Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/) route.
 
 Learn more in our [blog post](https://blog.cloudflare.com/tunnel-hostname-routing/).

src/content/changelog/dlp/2025-01-03-source-code-confidence-level.mdx

@@ -13,6 +13,6 @@ You can now detect source code leaks with Data Loss Prevention (DLP) with predef
 	product="cloudflare-one"
 />
 
-DLP also supports confidence level for [source code profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code).
+DLP also supports confidence level for [source code profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#source-code).
 
-For more details, refer to [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/).
+For more details, refer to [DLP profiles](/cloudflare-one/data-loss-prevention/dlp-profiles/).

src/content/changelog/dlp/2025-04-14-icd11-support.mdx

@@ -4,6 +4,6 @@ description: ICD-11 is now available for DLP detections.
 date: 2025-04-14
 ---
 
-You now have access to the World Health Organization (WHO) 2025 edition of the [International Classification of Diseases 11th Revision (ICD-11)](https://www.who.int/news/item/14-02-2025-who-releases-2025-update-to-the-international-classification-of-diseases-%28icd-11%29) as a predefined detection entry. The new dataset can be found in the [Health Information](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles/#health-information) predefined profile.
+You now have access to the World Health Organization (WHO) 2025 edition of the [International Classification of Diseases 11th Revision (ICD-11)](https://www.who.int/news/item/14-02-2025-who-releases-2025-update-to-the-international-classification-of-diseases-%28icd-11%29) as a predefined detection entry. The new dataset can be found in the [Health Information](/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/#health-information) predefined profile.
 
 ICD-10 dataset remains available for use.

src/content/changelog/dlp/2025-05-07-forensic-copy-update.mdx

@@ -4,7 +4,7 @@ description: HTTP policies can now be configured to send forensic copies for all
 date: 2025-05-07
 ---
 
-You can now [send DLP forensic copies](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#send-http-requests-to-logpush-destination/) to third-party storage for any HTTP policy with an `Allow` or `Block` action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases.
+You can now [send DLP forensic copies](/cloudflare-one/data-loss-prevention/dlp-policies/logging-options/#send-http-requests-to-logpush-destination/) to third-party storage for any HTTP policy with an `Allow` or `Block` action, without needing to include a DLP profile. This change increases flexibility for data handling and forensic investigation use cases.
 
 By default, Gateway will send all matched HTTP requests to your configured DLP Forensic Copy jobs.
 

src/content/changelog/dlp/2025-05-12-case-sensitive-cwl.mdx

@@ -4,6 +4,6 @@ description: Custom Word Lists can now be configured to enforce case sensitivity
 date: 2025-05-12
 ---
 
-You can now configure [custom word lists](/cloudflare-one/policies/data-loss-prevention/detection-entries/#custom-wordlist) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical.
+You can now configure [custom word lists](/cloudflare-one/data-loss-prevention/detection-entries/#custom-wordlist) to enforce case sensitivity. This setting supports flexibility where needed and aims to reduce false positives where letter casing is critical.
 
 ![dlp](~/assets/images/changelog/dlp/case-sesitive-cwl.png)

src/content/changelog/dlp/2025-07-17-document-matching.mdx

@@ -4,7 +4,7 @@ description: Upload a document as a detection entry type to be identified in tra
 date: 2025-07-17
 ---
 
-You can now create [document-based](/cloudflare-one/policies/data-loss-prevention/detection-entries/#documents) detection entries in DLP by uploading example documents. Cloudflare will encrypt your documents and create a unique fingerprint of the file. This fingerprint is then used to identify similar documents or snippets within your organization's traffic and stored files.
+You can now create [document-based](/cloudflare-one/data-loss-prevention/detection-entries/#documents) detection entries in DLP by uploading example documents. Cloudflare will encrypt your documents and create a unique fingerprint of the file. This fingerprint is then used to identify similar documents or snippets within your organization's traffic and stored files.
 
 ![DLP](~/assets/images/changelog/dlp/document-match.png)