I'm afraid there is no option to import AD Security groups in SEP.
Given your requirements though, I'd be more inclined to assign the policies using SEP Custom groups rather than AD imported ones (although this preference is based upon the fact that most AD structures I've encountered do not usually lend themselves to managing AV, which may not be the case with your structure).
Your proposed setup sounds solid though:
- One group for the SEP Clients that allow USB access, working in Computer Mode
- All other SEP Clients in User Mode
- Users split into two groups: those that are blocked from USB devices, and those that have access
The only thing I can add is to look into the availability of your SEPM(s), and investigate Load-balancing/Fault-tolerance if not already implemented. When in User mode, the SEP Client contacts the SEPM for the policies appropriate for the user when they log in. If the SEPM is unavailable, then the SEP Client will revert to the policies applied by the previous user.