Some great points there. I would also add a way for business users or admins to easily review accounts and privileges and sign off on that review if you are targeting any kind of regulated industry.
Look up maker-checker [1]. Almost all the enterprise systems require a human to review and approve changes initiated by someone else.
Even if you don't implement it right away, be aware of it and if possible build your entity/data model such a way you can add it later without turning your architecture upside down.
