The main problem here is similar in nature to
KULRICE-3307. There are situations where someone's identity might drop out of the system (in the case of LDAP). In theory the historical entity cache ought to help with this, but that might not always be the case. The problem in these situations is that it's not possible to remove the offending principal from the group or member via the UI because it's validating that the membership represents a valid principal. Seems it should only be validating "active" membership.
This was discussed at the KTI meeting on 02-29-2012: https://wiki.kuali.org/x/5nC1Eg