It would be awesome if you had a report of effective access or configuration for architects/auditors to review. For example, it would be awesome if you could point out weak configs that could expose people to thinks like “self enrollment” feature given to users in the New User Policy. it’s not clear to most people that if you choose to deny access for new users, and happen to leverage the authorized networks option while failing to select the box “require enrollment from these networks” (maybe because this is not a very understood setting) that you have exposed your Duo to miscreants enrolling 2FA devices with a phished account. I think these riskier features should be called out for the user base, who might have a false sense of security because “hey…we are running Duo 2FA”. Microsoft does something similar for Azure clients (Security Scorecard).