In this case, I suggest you to use a certification campaign in the workflow to remove all access revoking the certification automatically, so you can use a filter to exclude the entitlements they need to retain from the campaign.
More detailed steps here: Remove All Access Workflow
The loop might work, but it has a limit of one hundred items per iteration, so it can get complicated if an identity has more than 100 access items.