It would be good to get notifications when User starts a session through PAM: RDP, SSH etc., for all kind of sessions (Web, Terminal, Direct etc.).
That would be also good if there will be a mechanism of session approval (like a Workflow) when Security Officer will approve new session - for all or some sessions.
Both ideas are popular for Security Officers, they want to keep full control over Privileged Assets and Credentials and any activities related with they.