The more I think about an OpenSSH CA and principals the better it gets. This scales so much better than user-management even if you use configuration management. And you can more easily remove a user, or give a user more permissions around your machines and have expiry dates.