The rules apply only when they change their password in the future.

We don't have any way of knowing the user's current password.

You can, of course, force the user to change their password, and then the new password rules would apply. You can do this in the admin ui or via updating the passwordChangeRequired field in the user object via the API.