I think that the change to certain security measures should trigger an alert to a designated email. So if an admin changes the permissions of any users or groups an alert is triggered.

Additionally, I think that admins (not super admins) should not be able to edit their own group permissions. I have admins that have permissions to change and manage as they see fit. But that doesn't mean that I want them to have access to every company or even internal documentation.