Jacc policy currently is installed via the JaccAuthorizationRealm as part of the tomcat service. Since it is a VMwide policy, it does not matter. Once the policy is installed, you get it wherever you ask.
Regarding caching of policy, you do make a point. An anomoly will exist if somebody installs a policy in an MBean service via Policy.setPolicy call, which is different from the one that was installed by default as part of the JBoss startup.