In my experience, most access credentials (whether it is cards, fob, or even PIN codes) are issued once - on the first day the holder is permitted access - and then not addressed unless the holder loses or destroys the credential, or has access revoked.
The intervening period can be years, even decades. I have a family member who still uses an access card issued in 1998. Needless to say, it is old, worn, and the picture printed on it is faded. (It wouldn't look much like the 2013 version of the holder, anyway.) Many access control users see the reissuance and rotation of credentials to be pure cost - "If it isn't broken, don't fix it" seems to be the common opinion.
I've not seen a 'best practices' widely adopted for this policy. So what do you think?
Do you rotate, or recommend a rotation (reissuance) interval for access credentials? What cons can you think of by NOT rotating them?