Our security process requires privilege escalation for managing users and role assignments.
It would be good if all actions relating to user and access management would require the user to enter her credentials to confirm the action. This would include changing authentication related integrations. A simple and clear cut way to decide when to require privilege escalation could be for all actions that require the Admin or Owner privilege.
Optionally a temporary session with elevated privileges could be created. The privileged session would expire after a short amount of inactivity or could explicitly be killed by the user.