It would be nice to eventually provide policies for "Create New Users", "Edit Applications" (probably both globally and per-application) and other powers that are reserved for administrators by default.
This would allow deputizing semi-admins who could perform various administrative tasks without being able to, e.g., change installed applications or create any real mess.
I set the "Create New Users" policy to "Members of #access". A member of the access project reported that they are getting a 403/when trying to access /people/create/.
On my Dev box, I could easily reproduce by setting the policy to "All Users".