We are using Federation & Role-switching and have no current need to use the SSO admin users which are necessarily created via Account Factory. Ideally, we'd like to delete them, but I worry about Control Tower drift. I would also consider disabling them and/or putting a highly restrictive SCP on them (which I'm thinking is our most likely scenario).
We'd like an option wherein we do not need to have the same kind of routines that we use for admin users which are actually used or have the potential to have a valid use case.
