The organization must remove inactive user accounts periodically (purging).
CIS Controls. 16.9 Disable Dormant Accounts. Automatically disable dormant accounts after a set period of inactivity.
NIST 800-53 AC-2 (3) The information system automatically disables inactive accounts after [Assignment: organization-defined time period].
NIST 800-53 AC-2 (10) The information system terminates shared/group account credentials when members leave the group.
NIST 800-53 AC-2 (13) The organization disables accounts of users posing a significant risk within [Assignment: organization-defined time period] of discovery of the risk.
PCI DSS v3.2.1 - Requirement 8.1.4 Remove/disable inactive user accounts within 90 days.