After talking with some people at work, and talking more with Clay and learning more about "account_autocreate" and "allow_account_management" in general, I no longer think this setting could be considered a security layer. If we did change to require the setting, then some deployments would have to add that - when they might not mind the change in behavior. And most likely if you specifically cared not to autocreate, then you'd prob have it set. Sounds like a very low chance we'd want to change the default down the road. Perhaps it is best to simply change the default.
After talking with some people at work, and talking more with Clay and learning more about "account_ autocreate" and "allow_ account_ management" in general, I no longer think this setting could be considered a security layer. If we did change to require the setting, then some deployments would have to add that - when they might not mind the change in behavior. And most likely if you specifically cared not to autocreate, then you'd prob have it set. Sounds like a very low chance we'd want to change the default down the road. Perhaps it is best to simply change the default.