When you are offered criticisms like these from a third party ask for a citation or a source of authority for the recommendation in writing. That should synthesize the conversation.
A suggestion that you address 311 Special Measures (one of your other questions) in your policy is simply reasonable. Although there is nothing that says it must be addressed in your policy, it's the subject of one of the "core" examination procedures listed in the BSA/AML manual. A suggestion that you should have a policy on each core examination procedure that actually affects your bank is a good one.
The other two things you mentioned, "de-risking" and "human trafficking" are both things that your bank should be familiar with; i.e. incorporate into your planning and training, but there is no need for a policy on either.
As another poster indicated, your bank's policy on
human trafficking would be like its policy on financial exploitation of the elderly, wire transfer fraud, structuring, account takeover, etc. You are opposed to it. You will train your employees to look for it. If you see it, you will attempt to put a stop to it and report it as the law requires you to.
"De-risking" is a reference to a current regulatory hot button. (Ten years ago it was called "discontinuance.") You could identify customers whose status is a concern to you in your risk assessment and from there reach any necessary conclusions in your policy regarding what circumstances you will supply services to them. Currently, the term would better describe a criticism you are trying to avoid rather than the object of a policy.
P.S. If your auditor cannot support a suggestion, it's okay to say you flatly disagree until such time as support is offered. Say it in writing and support your position.