I'm not entirely sure whether that might cause other issues, such as removing permissions from the Account Admin role and potentially locking yourself out. I definitely agree that dealing with these permissions can be frustrating at times.

We've decided not to use the default roles. Only Account Admin and IT Supervisor are used for administrative access. All other default roles are not in use. Our custom roles are labeled using the format “Company Name – Role Name”.

Hopefully, this will become easier once they finally revamp the permissions as originally planned for Q1 2025, introducing a more granular permission structure.

I mean sure, leave the account admin one but you also, it would be good if you could mark someone as the account admin and then no one can remove their permissions unless someone else takes over the role. That way, there is always someone with god rights and the system is aware that that person is the SME of the system and there is (no matter what) someone who can fix any issues with the account admin permissions. 

The other roles on the other hand, should be editable. Or be able to be deactivated so that they are not visible in the permissions. Otherwise, it makes administration more difficult - as they are also the first ones that show up in the drop down when you are granting permissions. It also means that if anyone moves between the roles of Account Admin, you then have to tell them NOT to use those roles. It is just another thing that makes it more difficult to have people move in and out of the role and more things you would have to explain of do not use that because xyz.