Not any password....
Only WEAK ones..If it was implemented at the onset that compliance was to use strong 16-20 alphanumeric and special symbol passwords, and employees aren't sharing them, writing them down on post-it notes there is no reason to change that strong password. It would take a hacker hundreds of years to brute-force a cryptographically strong 20 character password, even with a highly sophisticated offline GPU gate-array. If the crypto is done right, there's no need to worry. Only case that I can see worth changing an employer/employee's password would be if they left, resigned, or were terminated.
Keep Up with TechRepublic