Here's the answer (courtesy of support):
Within every requirement within the host integrity policy you need to check "Allow the host integrity check to pass even if this requirement fails" - that box must be checked to prevent end-user notification in the form of the SEP systray icon changing and the warning in the SEP screen. The back-end server will still get notified that elements of the policy have failed.
I should note that this is not clear in the docs or the GUI. The Notification section of the policy seems to be strictly to make custom notifications. The product should make this clearer, if anyone in the product team is reading. Thanks!