@k3vmo When my org still needed to bind Macs to AD my approach was to use two policies to drive the binding process (our network topology prevents using a Network Segment restriction to limit a binding policy from running if a Mac wasn't on the internal network which would have been the "easy" way):

Policy 1 was a Bind policy and used a custom trigger (e.g. DoADBind)

Policy 2 ran a script that checked to see if an internal only server was accessible, and if so it ran the command "jamf policy -event DoADBind" to trigger the bind

Very similar for me, my enrolment complete would check for a domain controller then proceed to call the policy by custom trigger event. If not, wait for device to be back on site before trying.

Enrollment complete policy
ping -c 1 mydc.domain.internal &> /dev/null && jamf policy -event ADbind || echo "Not on site for AD bind."

ADbind policy
Scoped Startup / AD Not Bound / Limited by internal network segments. When complete;
/usr/bin/touch /Library/Application\\ Support/JAMF/Receipts/EnrolmentADBind.pkg

Not sure how you have ISE verifying the device in AD. But I have seen in the past that you could (From AD Users and Computers) add a new computer to the OU that the mac would be bound to. Then as long as the mac has the correct cert it will meet ISE requirements. You could also get fancy and use the jamf API to create a list of devices in jamf then leverage a power shell script to import those computer names into AD.