Just to beat this dead horse into a plowshare, you could get the effect you want (maybe?) like this:
- name: Install policies
hosts: mgmt
connection: httpapi
tasks:
- name: install-policy
check_point.mgmt.cp_mgmt_install_policy:
access: true
threat_prevention: false
policy_package: "{{ policyset }}"
targets: "{{ item }}"
with_inventory_hostnames:
- all:!mgmt
vars:
policyset: "{{ hostvars[item].policyset }}"
run_once: true
when: policyset is defined
That is, use task variables to set the variable explicitly from the corresponding host’s variables — even though you are targeting one of your "mgmt" hosts. (“One of” b/c of the "run_once:" bit; you don’t want to do it across more than one I don’t think.)