Quick note from engineering
1. Certificate expiry checks
2. AD account expiry checks (the policy engine can convert the accountExpires attribute into a usable date/time field)
You can use these to frame policies that look up date/time attributes, and compare them with attributes fetched from authentication/authorization.