I don't have an easy way to test this out - and I think I know the answer - but wanted to ask.
If you give a non-admin user the rights to the security area in Epic - can they then make themselves an admin?
From a 10,000 foot view most likely, although I think Epic's permissions can be more granular than that. Are you trying to give someone like a password reset role?
Basically agency wants a power user to have access to everything except accounting. but if they have access to security - it seems pointless if they can then just grant themselves access to accounting... or reset the accountants password... or create a new user with access to accounting ... etc.
Yeah if they'll have the ability to create a user or reset a password, thats pretty much god mode. A couple ways around that are I think you may be able to have a user mostly do all that except for create users and reset passwords, OR limit them by Agency/Branch.
They would not have the ability to change themselves to an enterprise admin. Since they would be logged in as themselves it would advise the user cannot be edited because the user is currently logged into the system. However, they could still make changes to security as you indicated. Unless this person will actually be making security changes for others, I can't imagine why they would even need access to security.