Security policy would typically dictate that SSO should be required. This leads to a couple of items:
1) Ability to require SSO - no ability to set passwords on non-SSO accounts/blocking of some sort/marking a given account as 'SSO only'
2) Some sort of alternative token for use of pf9ctl that does not involve providing a password.
3) Ability to set a location/IP range restriction on users - such as to lock non-SSO logins to only coming from certain IPs.