The SentryStore class has a privCleaner that cleans up orphaned privileges. Currently cleaning is happening after 50 notification requests are sent and it uses locking to synchronize.
I think the whole thing can be simplified:
1) We should consider whether it is possible to clean up a privilege simply when we see that there are no roles associated with it. In this case we do not need this at all.
2) We can simply run a periodic job to clean up orphaned privileges and groups (which are not cleaned up at all now).