Security policy is applied incorrectly (likely cached)

Security policies are applied incorrectly ~20% of the time on our project. While the majority of the time they work correctly on a number of MRs they apply an additional review incorrectly. After experiencing this problem over the span of 5 hours I disabled the rule and weirdly enough it was still applied to some MRs a whole day later. I had to changing the linking project to a repository with no security policies in it to resolve the problem. Both of these symptoms seem to suggest some lazy evaluation of the policy stored in a cache.

The following is an example which should never be able to occur, much less with our specific rule.

---
scan_result_policy:
- name: SAST >= high
  description: Do not allow any new critical or high severity SAST vulnerabilities.
  enabled: true
  rules:
  - type: scan_finding
    branches: []
    scanners:
    - sast
    vulnerabilities_allowed: 0
    severity_levels:
    - critical
    - high
    vulnerability_states:
    - newly_detected
  actions:
  - type: require_approval
    approvals_required: 1
    user_approvers_ids:
    - redacted

Even after refreshing at > 12 hours after disabling the rule this still occurred. This completely blocks being able to use the security policies.