Campaign for entitlement assignments without role/access profiles

Hi,
I would like to create a certification campaign or a policy to certify identities that are assigned to entitlements without being assigned to a role or service profile.

To be more precised : in our organisation, people should be assigned in an entitlement ONLY if they have been assigned a role or access profile containing that entitlement. If not, (e.g. if they have been manually assigned to the entitlement in the source, or if we removed the entitlements from an Access Profile/Role) they should be revoked from that entitlement.

But I was not able to build a search query that says “list identities that have belong to entitlements WITHOUT belonging to roles/access profiles containing those entitlements”. Can someone advise me on how to build such query?

Thank you.