As we've discussed, if/when a student/researcher/contributor revokes permission to our App this prevents any access tokens given to that application from accessing the researcher's ORCID record.
If the end date hasn't been written before that revocation, it can't be subsequently added without a valid access token leaving that item stranded and forever suggesting the researcher remains employed.
ORCID's been putting some thought in this (hopefully rare) situation, and has some suggestions for how organisations deal with affiliations for departing staff. Three proposed workflows can be found here:
https://docs.google.com/document/d/1w1mV4QoXJHdFas8aA2EHkPlYJDhnkZ4poUZsCIopPF0
The first two (exit interviews for staff, and for students) emphasise communications with the affected staff/students to gain their permission. I'd hope that trust in an organisation persists after the formal relationship, but realise there's a place for one-time permissions if the outgoing individual wishes.
Any user may "If [the] User believes in good faith that data in a record is not accurate and cannot fix it her/himself through the ORCID record management tools or contacting the Record Holder directly, s/he may report the inaccuracy using an ORCID Data Report."
This seems to be an extremely practical approach given the vast majority of good actors, and preferable to a technical solution.
Explain to your researchers the value of maintaining the trust relationship; using staff departure and exit interviews as opportunities to mark completion of a role; and if that fails, raise a Data Report to initiate a dispute on accuracy.