"Enforcing policy checks on runs - Policies are checked when a run is performed, after the terraform plan but before it can be confirmed or the terraform apply is executed."

Terraform Enterprise enforces Sentinel policies between the plan and apply phases of a run, preventing out of policy infrastructure from being provisioned. Unless overridden by an authorized user, only plans that pass all Sentinel policies checked against them are allowed to proceed to the apply step.

C. See the official diagram here: https://developer.hashicorp.com/terraform/tutorials/policy/sentinel-install

terraform plan >>>>>>sentinel policy>>>>>>>>>terraform apply

B. During the plan phase. Sentinel is a policy-as-code framework integrated with Terraform Enterprise that allows organizations to define and enforce policies on infrastructure changes. Sentinel enforces policy logic during the plan phase of a Terraform Enterprise run, before any changes are applied to the infrastructure. During the plan phase, Terraform generates an execution plan that describes the changes that will be made to the infrastructure. Sentinel evaluates policy rules against this execution plan to determine whether the proposed changes comply with the defined policies. If any violations are detected, the plan is rejected, and the changes are not applied. Sentinel does not enforce policy logic before the plan phase or after the apply phase. However, Sentinel policies can also be used to enforce compliance on policy requirements that are not directly related to infrastructure changes, such as resource tagging or naming conventions. In these cases, Sentinel policies may be evaluated at other points in the Terraform Enterprise workflow, such as during VCS (version control system) integration or during cost estimation.

Policies are enforced after the plan and before the apply commands. so, the answer is option C.