Running VIP Authentication Hub, the preview API per application risk policies ( admin/v1/RiskPolicies ) are ignored against the Tenant level risk policies (/iarisk/v1/RiskRules) when invoking API (iarisk/v1/UserRiskScoreEvaluator) with the application field in the body.

The product works as designed.

If a rule should not be triggered at the Application level, don't configure the same in the risk policies.

If the risk rule is turned off at the Tenant level, then this implies that such a rule should not be used by any applications in that given Tenant.

So, to fix this, enable all rules at the Tenant level and configure only the rules that are needed at the Application level in the risk policies.