Applications and Access Groups

I have a few Applications defined under the Private Network type. I have also created several Access Groups that I would like to use to aid in defining policies for accessing these applications. However, I cannot figure out for the life of me how to use these Access Groups in the policies! The documentation and Google search results that I have found all make it sound like Access Groups should be one of the selectors in the policies, but it isn’t listed under the Identity selector, nor is it listed in the other selectors. I’m stuck.