We have found users submitting future access requests with maximum release durations.
But when we shorten those times, the existing future requests still exist with the longer release times and become grandfathered in.
We need either an automated way to reduce those durations times to be constrained to the maximum duration at the time the user performs the checkout,
If the duration of the request conflicts with the constraints of the policy change, the request is revoked because it does not match the allowable durations at the time it was checked out/or retrieved.
This can happen with 2 step approval or auto-approved requests.