When using the policy evaluation endpoint, the subject can be specified as a sso token value, jwt, or a set of jwt claims.
The scripted policy condition API has access to the identity object to retrieve attributes about the subject (from the subjects data store). When subject is provided by a sso token, identity object is available. When subject is provided by a claim set (universal id as "sub"), identity is NOT available, even though the attributes can be returned in the REST response as response attributes.
This seems to be a known limitation and there is no suitable solution for this issue at this time.