Security Audit performs static analysis of the API contract file. Any potential vulnerability stemming from the API design is reported.
No actual API invocations are made at this phase. Only the contract is analyzed.
Conformance Scan on the other hand is invoking an actual API endpoint. It's goal is to find occurrences in which a call made outside of the contract is nevertheless still handled instead of being rejected. Examples of such calls include paths and HTTP verbs that are not in the contract or payloads that do not conform to the formats described in the contract.
Thus, Conformance Scan complements Security Audit by adding the dynamic tests of the actual implementation of the API functionality.