So from my perspective, ISC should be the source of truth for what access an identity should have on a source system. NCD will tell you when an identity has obtained out-of-band access (i.e. somehow they got access to an entitlement on the source without ISC granting it). If a user got access to something outside of the process provided by ISC, then you need to revoke that access directly on the source. You could either manually remove their access or setup a system that can automatically remove the access using the APIs provided by the source system.
Workflows can help with this. You can setup a workflow to listen to NCD events, and if you spot one then you can have the workflow invoke the HTTP Request Action to directly remove the out-of-band access from the user on the source. You could also create a micro-certification campaign to revoke the access. Check out this blog post by @Bassem_Mohamed. I think this can help you solve your use case.