This is an expected behavior.
A Unified Policy may contain filter criteria that cannot be resolved on the connection's first packet, such as Application or Data. Therefore, on some connections, the final rule match decision will occur on the following data packets. Until the final decision is reached, the incoming data packets are accepted by rule base, if there is a rule that allows it (meaning if one of the possibly matched rules is not with Drop/Reject action).
In scenarios in which the connection ends without applicative data content at all (no data packets), or the amount of data is not enough for the required engine detection, the rule base will issue an Accept log with the first rule that allows the traffic. This rule may not have complete adequacy with all the applicative criteria because some of them have not been detected yet.
The corresponding log will contain one of the following Reason strings: