The organization must remove inactive user accounts periodically (purging).
CIS Controls. 16.9 Disable Dormant Accounts: Automatically disable dormant accounts after a set period of inactivity.
NIST 800-53 AC-2 (3): The information system automatically disables inactive accounts after [Assignment: organization-defined time period].
NIST 800-53 AC-2 (10): The information system terminates shared/group account credentials when members leave the group.
NIST 800-53 AC-2 (13): The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period of discovery of the risk].
PCI DSS v3.2.1 - Requirement 8.1.4: Remove/disable inactive user accounts within 90 days.