Currently there is no way to assure that a role (or user group) should not co-exist (within a user or user group) with another role.
For example one user should not be able to create a credit invoice and pay the same credit invoice. In some cases you want this to be done by separate people within the business.
It would be good to be able to create a matrix of roles that should not be assigned to the same user or user group.
When a user tries to assign an illegal combination of roles to a group or a user (due to a combination of groups) IAM should not let you and give a warning.