To be more specific, when an IIOC is added to the list; two factors are considered: How much value will it add to the product (i.e. how useful it will be in the general sense) and what type of impact it will have on the overall performance.
The list of inactive IIOCs may vary with each upgrade. If one has activated an IIOC, it will revert back to inactive after upgrade.
To note: If an IIOC has been set to generate an alert, the status will not change when the system is upgraded.
(For example, if you have set an IIOC as active and alertable and then upgrade RSA NetWitness Endpoint, the IIOC will be set back to default and the IIOC will still be alertable.)
In the screenshot below, prior to an upgrade the "Uncommon executable extension" IIOC was activated and set to be alertable. After upgrading, the IIOC reverted back to inactive but is still marked as alertable.