This policy validates that IAM user access keys are used at least once every 90 days.
Access keys provide programatic access to an AWS account, and if those keys are not in use they should not be enabled as they only serve to increase the attack surface of the account.
Remediation
To remediate this, each unused credential for each user mentioned in this alert should be made inactive.