A cool addition to IAM would be a task that allows you to disable all objects for a specific role which can not be accessed from within the application. This will allow you to disable objects that the user in theory could/should never be able to access.
This will help prevent that users by accident have rights to tables which they should not have access to in the first place.
They will not access the tables using the GUI but will be able to access them using a tool like MS SQL Management Studio or Indicium. This task will help you prevent this.