Security Tests policy sets can only be applied On Step, but if a policy fails then ti should still be listed under Policy Evaluations for the Pipeline. Otherwise it's not as clear what happened and users have to go digging through pipeline step logs to determine why a pipeline failed