The AnyConnect Web Security module is designed to always be on to ensure that your clients are filtered through your configured policy.
There is a feature within AnyConnect called TND (trusted network detection) which allows you to disable the module when it can reach out to a trusted server (verified via a certificate hash) only accessible on your corporate network.
The logic can be work around however to do the opposite (stay enabled via the corporate network, disabled outside the corporate network) by instead using a certificate hash of any public HTTPS website and then ensure the configured website is blocked via the corporate network.
When the users are off the corporate network AnyConnect can pull the certificate hash and disable the module. While on the corporate network, the connection to the site will not establish (due to being blocked on edge firewall for example) and not pull the hash, allowing AnyConnect to still stay enabled and filtering.