By Identity Awareness Master, do you mean the Gateway performing the PDP role and sharing identities out to all your other Gateways?
If so, I always worked with the understanding that policy needed to be pushed any time you add a new Access Role (or modify an existing one) to all the Gateways using those roles.
An exception to that could be if you are linking your IA Roles to Active Directory groups. If you do this, membership of the AD group could be changed in Active Directory and IA should recalculate the AD Group Membership without a Policy Install. This type of design may be something to keep in mind if the goal is to avoid installing policy as much as possible.
R80 CCSA / CCSE