In a web policy rule set with https decryption enabled, traffic will be decrypted only if a Server Name Indicator (SNI) is present in the TLS handshake.
The above behavior is by design.
Security and Acceptable Use Policies will still be applied based on the destination servers where the request is being sent to. Destination lists can be created for these destination servers and rules can be enforced accordingly.
Any blocks for DNS policies for Tunnels and AnyConnect will still apply.