So, tried a few things and found we could get a policy on by killing IPS. This may cause all sorts of random results so only use this if you're desperate!
You can try the nice way
diagnose test application ipsmonitor 99
aand then try adding the policy but I had to go further: in the CLI console type
get sys perf top
Look for ipsengine..
ipsengine 6085 S 0.0 22.6
Then you can kill it..
diagnose sys kill 9 6085
the 9 is the signal and 9 means kill it dead.
It should come back. Check with the get sys perf top again.
Then you should be ok to put in a few commands without the cmdb add entry failed error.