I have seen this handled in 4 different ways, over the years. It depends on if you are updating the inactive/removed groups from AD or not. And then for both, there are 2 ways of handling it: manually or automated.

If you don't get any trigger from AD on inactivation/removal of a group, you need some check on that. Are they updated daily/weekly/monthly? Then you can check the timestamp of the latest sync and if a group is not included, you can assume that it is no longer active in AD.

If you do get that trigger, you map that action to the group record.

In both scenarios you can automate it (remove/inactivate if AD says remove/inactivate), or have a manual task created for the system admin to check if the group isn't used anywhere (it would become a mess if the group granting the ITIL role gets removed).

Personally, I preferred a hybrid solution: when a group is 'marked' as no longer in AD, do a check if any users/roles are added to it and if it has a type (ITIL/approval/etc). If not, remove it, because it's no longer use. If so, create a task for the system admin, to check the impact.