Thanks for the feedback. I looked at the detailed view and it appears the risk analysis is being run on all systems / clients that the user exists in. The technical role assigned does not exist in all the systems returning violations but the user does.
Part of me thinks this may be by design but, at the same time, it seems like it will be confusing for requesters / approvers to see all the results.