Access controls that are not based on the policy are characterized as:

A.
Secret controls

B.
Mandatory controls

C.
Discretionary controls

D.
Corrective controls

Explanation:
Access controls that are not based on the policy are characterized as discretionary
controls by the US government and as need-to-know controls by other organizations.
The latter term connotes least privilege – those who may read an item of data are
precisely those whose tasks entail the need.