Traffic matching an established session will continue to flow as long as that session remains active. When you delete the security policy, no *new* flows will be created, but existing flows will stay active until they age out.
As Alex suggested, using policy-rematch will cause all active sessions to be re-evaluated against the security policies upon a commit, and sessions will be torn down if they are no longer permitted.
You can also manually clear the sessions using "clear security flow session" and specifying various criteria -- or clearing ALL sessions. Be careful with that, because it will drop ALL sessions and any existing flows will stop and need to be restarted, including your SSH session to the CLI and all your users' traffic flows. 🙂