diff --git a/Source/santad/SNTPolicyProcessor.m b/Source/santad/SNTPolicyProcessor.m
index 27dbaf8ed..845286e60 100644
--- a/Source/santad/SNTPolicyProcessor.m
+++ b/Source/santad/SNTPolicyProcessor.m
@@ -27,6 +27,7 @@
 
 @interface SNTPolicyProcessor ()
 @property SNTRuleTable *ruleTable;
+@property SNTConfigurator *configurator;
 @end
 
 @implementation SNTPolicyProcessor
@@ -35,6 +36,7 @@ - (instancetype)initWithRuleTable:(SNTRuleTable *)ruleTable {
   self = [super init];
   if (self) {
     _ruleTable = ruleTable;
+    _configurator = [SNTConfigurator configurator];
   }
   return self;
 }
@@ -49,10 +51,16 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
   cd.teamID = teamID;
   cd.signingID = signingID;
 
+  SNTClientMode mode = [self.configurator clientMode];
+  cd.decisionClientMode = mode;
+
   // If the binary is a critical system binary, don't check its signature.
   // The binary was validated at startup when the rule table was initialized.
   SNTCachedDecision *systemCd = self.ruleTable.criticalSystemBinaries[cd.sha256];
-  if (systemCd) return systemCd;
+  if (systemCd) {
+    systemCd.decisionClientMode = mode;
+    return systemCd;
+  }
 
   NSError *csInfoError;
   if (certificateSHA256.length) {
@@ -110,7 +118,7 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
             // If transitive rules are enabled, then SNTRuleStateAllowListCompiler rules
             // become SNTEventStateAllowCompiler decisions.  Otherwise we treat the rule as if
             // it were SNTRuleStateAllow.
-            if ([[SNTConfigurator configurator] enableTransitiveRules]) {
+            if ([self.configurator enableTransitiveRules]) {
               cd.decision = SNTEventStateAllowCompiler;
             } else {
               cd.decision = SNTEventStateAllowBinary;
@@ -120,7 +128,7 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
             // If transitive rules are enabled, then SNTRuleStateAllowTransitive
             // rules become SNTEventStateAllowTransitive decisions.  Otherwise, we treat the
             // rule as if it were SNTRuleStateUnknown.
-            if ([[SNTConfigurator configurator] enableTransitiveRules]) {
+            if ([self.configurator enableTransitiveRules]) {
               cd.decision = SNTEventStateAllowTransitive;
               return cd;
             } else {
@@ -198,9 +206,6 @@ - (nonnull SNTCachedDecision *)decisionForFileInfo:(nonnull SNTFileInfo *)fileIn
     return cd;
   }
 
-  SNTClientMode mode = [[SNTConfigurator configurator] clientMode];
-  cd.decisionClientMode = mode;
-
   switch (mode) {
     case SNTClientModeMonitor: cd.decision = SNTEventStateAllowUnknown; return cd;
     case SNTClientModeLockdown: cd.decision = SNTEventStateBlockUnknown; return cd;