I make a few assumptions, let me know if some of them are wrong:
1) AD groups are linked (maybe by name) to an SD group
2) all AD groups are linked with SD groups before any linking between user and groups are done in SD (otherwise, SD would not be able to link users to groups)
Now let us dig a bit deeper into the groups in SD.
Every user can be a member of one or more groups in SD, which is represented by a Groups collection on the User Object.
The user can (in web access not in Self Service) change their current group out of the groups in this collection.
SD can only add Objects to a collection and not delete them. Therefore a user who changes groups in AD will hold these two linked SD groups (old and new) in their collection.
-> So far the explanation why this is happening.
You can set during import the current group of the user by adding this to the import mapping, but - as the groups are still in the user's collection - they can switch between them.
-> The solution
Could be a trigger on the database to delete all the groups from the users, should the group not be the current group.
Triggers can be tricky and need to be checked thoroughly to ensure that they are fit for purpose in your environment.
We, therefore, cannot give you any ready made trigger here.
Please seek assistance from your DBA or our Professional Services Consultants to set such a trigger up.