filter for specific tags not getting recognized for Cognito User Pools and Cognito Identity Pools

Describe the bug

I'm trying to cleanup Cognito User Pools and Cognito Identity Pools that do not have the required tags. When I filter for those required tags the User Pools and Identity Pools are still getting deleted even when those required tags are present. It's deleting all User Pools and Identity Pools regardless of tags.

What did you expect to happen?

I expect only Cognito User Pools and Cognito Identity Pools to get deleted only when they are untagged or missing required tags.

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

Custodian:   0.9.14
Python:      3.9.9 (main, Nov 21 2021, 03:23:42)
             [Clang 13.0.0 (clang-1300.0.29.3)]
Platform:    posix.uname_result(sysname='Darwin', nodename='MacBook-Pro', release='20.6.0', version='Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:21 PDT 2021; root:xnu-7195.141.6~3/RELEASE_X86_64', machine='x86_64')
Using venv:  True
Docker: False
Installed:

argcomplete==1.12.3
attrs==21.2.0
boto3==1.19.12
botocore==1.22.12
docutils==0.17.1
importlib-metadata==4.8.1
jmespath==0.10.0
jsonschema==3.2.0
pyrsistent==0.18.0
python-dateutil==2.8.2
pyyaml==5.4.1
s3transfer==0.5.0
setuptools==59.0.1
six==1.16.0
tabulate==0.8.9
typing-extensions==3.10.0.2
urllib3==1.26.7
zipp==3.6.0

Policy

policies:
  - name: sbox-cognito-identity-pool-delete-untagged
    resource: identity-pool
    description: |
      Cloud Custodian Cleanup Notification
    comments: |
      Notifification of deleted Cognito Identity Pools that were not tagged with retain
    filters:
      - not:
           - or:
               - tag:PAN: "true"
               - tag:retain: "true"
               - tag:LightsOut: "exclude"
               - tag:environment: "smoke"
               - tag:environment: "qc"
               - tag:gitrepo: "version-tracker-site"
               - tag:gitrepo: "tf-shared-infrastructure"
    mode:
      type: periodic
      schedule: "rate(14 days)"
      packages: [boto3, botocore, urllib3]
      role: CloudCustodian
    actions:
      - type: delete
      - type: notify
        template: default.html
        priority_header: '1'
        subject: '!!! Out of Compliance: Cognito Identity Pools have been deleted!!!'
        violation_desc:
        action_desc: |
            The following resources were deleted because they did not have retain=true tags
        to:
          - blank@blank.com
          - blank@blank.com
        transport:
          type: sqs
          queue: https://sqs.eu-west-2.amazonaws.com/9999999/CloudCustodianNotifications
  - name: sbox-cognito-user-pool-delete-untagged
    resource: user-pool
    description: |
      Cloud Custodian Cleanup Notification
    comments: |
      Notifification of deleted Cognito User Pools that were not tagged with retain
    filters:
      - not:
           - or:
               - tag:PAN: "true"
               - tag:retain: "true"
               - tag:LightsOut: "exclude"
               - tag:environment: "smoke"
               - tag:environment: "qc"
               - tag:gitrepo: "version-tracker-site"
               - tag:gitrepo: "tf-shared-infrastructure"
    mode:
      type: periodic
      schedule: "rate(14 days)"
      packages: [boto3, botocore, urllib3]
      role: CloudCustodian
    actions:
      - type: delete
      - type: notify
        priority_header: '1'
        subject: '!!! Out of Compliance: Cognito User Pools have been deleted!!!'
        violation_desc:
        action_desc: |
            The following resources were deleted because they did not have retain=true tags
        to:
          - blank@blank.com
          - blank@blank.com
        transport:
          type: sqs
          queue: https://sqs.eu-west-2.amazonaws.com/99999999/CloudCustodianNotifications

Relevant log/traceback output

No response

Extra information or context