Policies have been defined to go to a set of computers with an exclude defined ended up going to computers in the exclude filter.
There is a very unlikely scenario where during a filter update an excluded computer could fall briefly into a target allowing things to run on computers that should have been excluded.
When the Delta Resource Membership Update runs it clears the membership of the filter first then rebuilds it. If this takes 1 second and a computer that was in the exclude example above checked in, in the middle of that 1 second it could possibly get the policy if the membership cache was out of date and it had to evaluate its applicability again.
NOTE: An updated version of this stored procedure was added to our ITMS 8.5 release.
To resolve this backup the existing stored procedure spResourceTargetDeltaUpdate and execute the attached file against the Symantec_CMDB database to create an updated version that does not clear the membership as the initial step.