A policy is configured to apply to users in a nested group, or create an exception for users in a nested group. But the policy is not applying properly.

Users and groups are synced to CloudSOC through SpanVA ADSync

If a group does not sync properly through ADSync to CloudSOC, it may not sync again and correct itself through regular automatic syncs. The automatic syncs just sync changes to CloudSOC

Run a Full ADSync from the SpanVA to ensure that the groups are re-synced.