This IoE behavior works like that:
The "Native Administrator Group Members" works with two "modes":
- Mode 1: "Verify the number of accounts in the AD privileged group"
If this verification mode is chosen, the indicator will verify the number of objects present in the group (s), then deduce from the final number counted the whitelists present in the options of the security profile. If the number is still exceeded, the indicator will show the non-whitelisted accounts in deviance.
- Mode 2: "Enforce the member of the AD privileged group"
If this verification mode is chosen, the indicator will verify the accounts foreign to the whitelists present, regardless of the number of members. If an account not "declared" in the whitelist is added as a member, the account will be reported in deviance.
Please thumb up this answer if it helped you.