IAM users who have not logged into AWS and have not generated any API activity for a period of 30 days should be classified as inactive.

Recommendation:
IAM user accounts that exhibit no activity—either through login or API usage—for 30 consecutive days or more should be terminated to reduce the attack surface and minimize the risk of unauthorized access.