Clarify Teams / Access / Gateway

I’m trying to implement a Zero Trust architecture. To verify my good comprehension, could you confirm or improve the following points:

Teams could be considered as the global network that proxifies access done by users to resources/applications (private or public/saas)
Access is a tool that allow policies restriction on the first access to the resource.
There is no more control once the access is granted.
Gateway apply policies on the network (and AV)
Gateway must be set with the Warp Client
APP Launcher
It’s a portal with authorized applications for users
Warp Client
Agent use to channel request to CloudFlare ;
With warp client, every request is controlled through the gateway policies in CloudFlare

How to protect resources accesses (SAAS or private) from not corporate devices (without warp client) ?
App Launcher seems to control the access once (there no continuous logging?)
How to reroute/proxify an access to a public or private apps through CloudFlare control ?