I think this is a step forward, but I think it is better to think of access in terms of what responsibilities a person or group has.

When new access is to be given, it should be framed in the context of what new responsibilities are required.

I think this framing provides not just justification, but can provide inherent expectations of a users behavior that is easier to inspect and interrogate if needed.