Do you mark users as disabled at some point after they are inactive? If you don't you should. You probably want to track inactive but enabled accounts with rights with the governance tool.

You could run an LDAP query filtering on disabled state, and that would eliminate those disabled accounts. I'm assuming you are using AD as your identity source.

Another option would be to populate an attribute with their accountExpires date, (or possibly transform it to a boolean if its greater than today) and then use that field when selecting identities in a review. In the transform you have a little more leeway with using java functions and conditionals.

If you had Identity Management in place, or really any scripted maintenance mechanism, you could disable those accounts daily based on their accountExpires attribute. The big benefit is then it becomes one searchable attribute to see if they are active or not, not a comparison that changes each day.

--Jim