We have done some work on this but I think there is still work to do to make it truly effective.
When you disabled an AD user there was no mechanism to detect this event and invalidate the users' devices. With our 2.3.7 update, this should now be happening although we have discovered this only works for one of the users' devices, not all so that will get fixed in our next update.
I should note that if the account was already disabled before upgrading their peer would remain accessible. This is because the fix relied on capturing the disabled event when the user was disabled. As it was already disabled, no event and therefore no invalidation.
Furthermore, when you disable the user on the AD it will only get updated until the next sync so it won't be immediate.
We are now looking at hooking this up to our own user suspension code so that you have a way of preventing access immediately, independent of the user directory being used.