Got it.
- Don’t create Access Profiles/Roles for these legacy entitlements.
- Remove Entitlements from Request center, it is good practice to enable access requestable through Access Profiles/Roles
Offboarding:
There is different process followed by every implementation as per their project requirements. Most commonly used is
- Disable user on last working day EOD or next day
- Remove all the access after 2/3 weeks
- Delete account after a month
Timelines might change, but process is heavily followed. Check this post for reference.
User Deprovisioning in Active Directory - IdentityNow (IDN) / IDN Discussion and Questions - SailPoint Developer Community Forum
Possibilities of removing access and deleting accounts:
- Certification campaign: launch a certification after last working day, revoke all access.
- Before Provisioning Rule: You can use any extension attribute or description attribute even, enable sync for that attribute. When there is a sync, Before Provisioning Rule should monitor and update the plan accordingly to remove the user access. You can delete account even using same Rule.
- Workflow: You can remove the access but you cannot delete account. Currently workflow Manage Accounts → Delete account supported only for Delimited source. Remember Workflow is a licensed module.
Hope this helps 
Thanks
Krish