The further spread of cloud computing and telework has led to an increase in borderless activities, which has expanded the demand for constructing Zero-Trust Access Control (ZTAC). In this context, preventing information leakage is an important issue, and to protect sensitive data and confidential information in a zero-trust, it is necessary to monitor the user's behavior after authentication and make sequential decisions about authorization. In this research, we monitor account's behavior such clickstreams on the browser and incorporate it to evaluation of user's trust in access control system. Through the construction of behavior-based ZTAC system based on clickstreams, we have achieved access control that considers the naturalness of clicks without relying on the results of authentication. Moreover, toward solving the mismatch of click count between the system side and the end-user side, we synchronously updated the clickstream by the user-agent which observing and retrieving the click events in the DOM. As experimental evaluation, we verified that our ZTAC can deal with click count discrepancy and completely prevent various insider threat to sensitive data from even authenticated accounts. Also, we confirmed no significant differences in response time, memory usage, or CPU usage before and after the migration of zero-trust, indicating that it can be deployed in existing enterprise networks.