Enable ACL tracking for resource access
When accessing resources the user Token is presented and granted or denied access based on SIDs presented (Not taking DACL in to account). Tracking stale groups and ACLs is difficult in an environment, especially if there are multiple granting ACLs to a resource.
It would be good if there could be an event or log that would show an audit of not just a principal getting access, but how they got access. E.g. SID of the user is present on the Resource and gained access by proxy of direct permissions... or by proxy of a SID of a group in their tokens that gave them access. It would also be good to seperate out SID History as this could act as a validation of SID history use declining or being used heavily.
This would allow for stale principals to be cleaned up and for a better audit of how access was granted to a resource in a retrospective audit.