Hi @Steve l ,
Thanks for reaching out.
This is expected behavior when you run the command Set-AIPAuthentication which will allow AIP scanner service account to authenticate AIP service. Token sets and stores credentials for the delegated user to authenticate to Azure Information Protection.
There is no direct way to validate that token has been acquired or prevent the access utilization, but your on-prem service account need to be in synchronized to Microsoft Entra ID to download and execute the scanner's policy.
Reference- https://learn.microsoft.com/en-us/purview/deploy-scanner-prereqs#service-account-requirements
I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.
Hope this will help.
Thanks,
Shweta