The application server must disable accounts when the accounts are no longer associated to a user.

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality, which reduce the attack surface of the system.