Use N/A responsibility when a policy doesn't apply to your organization
Some policies apply to an organization, while others may not. The policy responsibility feature can be used to indicate that a given policy is either the responsibility of the organization (called “direct” responsibility, which is the default) or doesn’t apply to the organization (“N/A” responsibility).
When an organization needs to cover a particular topic in their policies because it’s required by a compliance framework, but the organization doesn’t actually need to do anything with the policy, because it doesn’t apply to their business, that is when the “N/A” responsibility is useful.
For example, let’s say an organization is working on a SOC 2, but they don’t actually do any software development. They would still have Secure Development policy, that covers things like secure coding practices, security testing, etc., but it would be N/A, rather than direct responsibility.
A policy that is in N/A should also have all related controls set to N/A.
Related: Determining Control Responsibility