In CA PAM there is an option
Global setting > accounts > Remove Disabled After (Days) and “Disable Inactive After (Days)”
This account works for local accounts. This article explains what happens in the case of LDAP accounts
CA PAM all versions
These settings do not affect the LDAP-imported users.
If an LDAP user is expired or disabled, it will still be present in CA PAM and it won't be automatically removed from the product.
The reason for this is because operations for LDAP user addition, removal and refreshing are solely controlled by Active Directory. For as long as a user is present in an LDAP group being used in PAM in AD, the user will not be removed from CA PAM.
At the moment the user logs in, the authentication is delegated to AD, so in fact, if a user is disabled or expired in AD, access will not be granted, no matter whether the user is present in CA PAM or not.