It turns out that this was a cache "problem". AuthorizingRealm requires its own cache to be defined and sans doing that reverts back to the default cache (2 minute cache). The cache HAS to be named as follows:
authorizationCacheName = getClass().getName() + DEFAULT_AUTHORIZATION_CACHE_SUFFIX;
where the suffix is ".authorizationCache". Failing to define an eternal cache for this results in really odd behavior. If you override AuthorizingCache then you'll need to define the cache using your own class name as shown below.
Maybe this is in the documentation somewhere, but I totally missed it and it caused me a lot of time and effort to figure it out. The documentation does say that expiring the cache without telling Shiro about it is a very bad thing – I agree. I hope this bit of information benefits somebody else.