The PDP (Policy Decision Point - Process that collects and shares Identities) and PEP (Policy Enforcement Point - process that enforces network access restrictions) processes on the Gateway handle processing sign-on / sign-off events. Depending on your configuration, a Gateway could be both a PDP and a PEP. Or, if you have multiple Gateways, you may want to assign one the PDP role and have other Gateways share identity information from it. In this distributed model, the other Gateways collecting identity data would only utilize the PEP process.
If you are using AD query, the PDP is monitoring Active Directory logs for Logon / Logoff events for each user in your environment. When the PDP sees these actions, the Identity Awareness "tables" are updated and identities inside Identity Awareness are either created or revoked.
The tricky thing about AD query as the sole authentication method is that users could stay logged in on systems for long periods of time without creating Logon/Logoff events. Or, alternately, they could generate lots of events that could keep refreshing that 720 minute keep-alive. For example, locking and unlocking your workstation triggers such an event. Accessing a remote File Share mapped with their AD credentials also creates a logon event. So, depending on user's habits, you may have some users who never time out because they are constantly locking and unlocking their machine in that 12 hour window. AD / LDAP itself won't send an event after 720 minutes to log the user's Identity Awareness session off.
I had this kind of issue with users who frequently moved between our 3 buildings and Wi-Fi; which all use different IP Subnets. They would disconnect / reconnect to a different LAN without ever creating an AD Logon or Logoff event and the PDP's User Table wouldn't have the right IP for that user and their access would break. I would usually tell them to lock/unlock the machine, or open a File Share to restore their access.... enter the IA Agent!
If you are experiencing unpredictable results using AD Query, you may want to consider deploying the IA Agent. It is very lightweight and transparent to the user, but it is capable of providing more up-to-the-minute Identity information to the PDP about the machines and users connected to your network. The Agent can be configured to phone-home at a tighter interval to keep your user tables more current. You can also make the agent "time-out" at a shorter interval. If you are using the SSO option (highly recommended), this re-auth will happen completely transparently to the user. But, it will verify their machine is still logged on and being used.
Their are also fantastic command line tools to help troubleshoot IA issues. You can run commands against the pdp or pep processes to see the state of things. For example, pep show user query usr <username> is a staple when you need to troubleshoot a single user.
Hope this helps!
R80 CCSA / CCSE