When an employee is terminated, IT would disable/deactivate the account - for an audit period, and then remove it. But in addition to that, every system that employee had access to will have to be audited and passwords rotated. This takes time.
If we can eliminate the need for password rotation, by using ssh keys - which are directly linked to the jump item profiles (including username/ssh public/private key references) - and thereby never exposed to the employee, then simply disabling the account, and thereby access to PAM prevents that user from being able to do anything, as the target hosts would be locked down to only allow authentication via shared keys.
We can do this today with our built-in Vault functionality, available on builds as of 19.1.