Hybrid Custody accounts are going to come in many flavors with different rules and restrictions. In order to not take a purview on which ones are valid and which ones are not, we should consider defining an interface to sit on-top of an AuthAccount which can be used to control certain aspects of the AuthAccount itself. This suggestion comes from Dete in our latest community call. You can find context about that and the ongoing discussion about hybrid custody here