We're concerned about a scenario where an attacker gains foothold and then creates local accounts or adds a compromised account to local Administrators group or similar. We're also concerned about scenarios where client admins make local accounts for whatever reason (troubleshooting GPOs, software, etc) and then forget to disable them, etc.