Access restrictions can be applied to which of the following?

Access restrictions can be applied to both user sessions and API keys. This means that organizations can implement security measures that control who can access specific systems and data through user authentication and authorization, as well as regulate access via API keys, which are essential for ensuring that only verified applications and users can communicate with services.

User sessions involve real-time interactions where users authenticate themselves to access resources. Access control measures can ensure that actions taken during these sessions are monitored and limited based on user roles or permissions. This helps protect sensitive data and resources from unauthorized access.

API keys serve as unique identifiers and secrets that authenticate requests made to an application. By applying access restrictions to API keys, organizations can limit access to specific APIs based on defined criteria, ensuring that only trusted services can utilize them. This helps prevent misuse or unauthorized access to application functionalities and data.

The other options do not encompass the comprehensive scope of access restrictions applicable in a modern security framework. Thus, the correct understanding of access restrictions lies in recognizing their applicability to both user sessions and API keys, as well as understanding the importance of securing both types of access.