A policy is configured to apply to users in a nested group, or create an exception for users in a nested group. But the policy is not applying properly.

Users and groups are synced to CloudSOC through SpanVA ADSync

If a group does not sync properly through ADSync to CloudSOC, it may not sync again and correct itself through regular automatic syncs. The automatic syncs just sync changes to CloudSOC

Run a Full ADSync from the SpanVA to ensure that the groups are re-synced.

Try associating the user directly to the policy instead of relying on the group association.

To help troubleshoot this further, create a HAR file from the browser while performing the action related to the policy. This HAR file can assist Broadcom Support in troubleshooting the issue.