Policy is a bit overloaded. There are some auth policies that are enforced in the proxy (without the need to go to Mixer). Those are configured and pushed to the proxies by Pilot, but Pilot does not currently do any enforcement itself (it is not called in the request path). You are not missing any metrics.
Some more advanced/configurable policy enforcement is also available via Mixer.
Does that make sense?