We have a zero-trust policy implemented into our software development governance policy. How can AREP be operational with this type of policy in place as it is deeply integrated into our day-to-day business apps and needs access to our user information?

It is possible to control what robots do thanks to the authoring tools that control what a robot can or cannot do when they run (i.e. they can only do what they were programmed to do). Additionally, logging capabilities permit you to audit the entire process.