Topicus KeyHub's philosophy: by defaults accounts should be inactive.
The threat landscape is minimised when no accounts are active. Whenever required, an account can be activated with a single click. This enables a personal account which is provisioned with the required privileges. After work finishes, the account is disabled automatically.
If required for auditing or compliance, a mandatory reason can be enforces before enabling a group. This reason is stored in the audit log and presented to all group members on their dashboard.
With the rotating-password option the credentials of each user are regenerated daily.