There is a setting called LOG=NONE on a RACROUTE security call, which is used by z/OS or application to communicate with Top Secret to check if a user can access a resource.

When a RACROUTE security call is made with the LOG=NONE setting, Top Secret does not log any violations to the Audit Tracking File or write any security violation messages when a user causes a security violation.

Although TSSUTIL cannot report violations with LOG=NONE, CEM has the functionality to report such violations. As a result, there is a discrepancy between the CEM and TSSUTIL reports. However, this is not a bug in how CEM works.