For private and fishbowl wikis, probably all accounts.
For other wikis, on a case-by-case basis.
For SUL wikis, probably the "global groups" of staff, sysadmins, stewards, ombudsmens, global-sysops, abusefilter-helpers, interface-editors, and founder, and the local per-wiki equivalents (at least for bureaucrat, checkuser, suppression, and interface-admin).
For meta, various groups which can make changes with a global effect (like renamer or CentralNotice admin).
For wikitech, users with SSH keys.
This might require some or all of the same UX improvements that block T166622: Allow all users on all wikis to use OATHAuth.
Related incident: https://wikitech.wikimedia.org/wiki/Incident_documentation/20161112-OurMine