Verification of SSL inspection exception

Hi! I’m trying to find the best way of verifying that a domain is not being SSL inspected and I am confused by the results of my current method.

First I add the exception via a URL category, save, push changes. After I browse to the domain, e.g. https://cloud.google.com, I check the certificate presented by the URL bar. No Zscaler cert, so it’s working, right? However, when I use openssl I get different results:

openssl s_client -showcerts -connect cloud.google.com:443
CONNECTED(00000005)
depth=2 C = US, ST = California, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Intermediate Root CA (zscloud.net), emailAddress = support@zscaler.com
verify error:num=20:unable to get local issuer certificate
verify return:0
---

Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
i:/C=US/ST=California/O=Zscaler Inc./OU=Zscaler Inc./CN=Zscaler Intermediate Root CA (zscloud.net) (t)

Why is this happening and what are your best methods of verifying that an SSL inspection exception is working?