Jorge has landed a change to security_AccountsBaseline so people no longer need to update the user/group baseline in most cases. specifically, if your new user/group is standalone and does not have a shell/home dir, it will be automatically "approved". only in cases where you try to add a user to a different group will you have to update the baselines. e.g. adding more users to the "chronos-access" group requires a change, but creating user/group "foo" does not.
this is to reflect the fact that the majority of non-root accounts do not expose attack surfaces, so having to whitelist them was pointless friction.