Certain VIP tokens are not being expired and set to INACTIVE when the credential expiration policy is in use. 

You can set credentials to expire if users do not use them to successfully authenticate themselves, after a specified amount of time. Once a credential expires, it becomes inactive and can no longer be used to authenticate a user. An administrator can return the credential to a valid status in VIP Manager. The credential expiration setting applies to:

    Hardware tokens and cards
    VIP Access for Mobile or Desktop
    SMS
    Voice Call
    Service-generated OTP authenticators.

The credential expiration policy does not apply to:

    Passwordless Credentials
    Remembered Device (set this expiration in the Remembered Device Policy)

If users are bound to a credential, the credentials expire after the date configured in this policy, based on the last validated date. If there is no last validated date (for example, the credential has never been used), VIP uses the date that the credentials were bound to the users.

If no users are bound to a credential, the credentials expire only if they are in an ENABLED state and have a 'last validated' date. Otherwise, the credentials do not expire.