Application and Device Control driver sysplant.sys with other files are sitting above kernel and monitoring each windows API calls and based on the rule and policies definied by SEP, these drivers blocks these API requests.
When you push a policy from SEPm to SEP the policy stays at the SEP client at all time and ADC blocking is realtime.
Hope that answers your question.