Lots to parse there ...
Yes to see what the PIT privileges from the user that created the key use the with_limited_by flag.
Use the GET API with
with_limited_byboolean Generally available; Added in 8.5.0Return the snapshot of the owner user's role descriptors associated with the API key. An API key's actual permission is the intersection of its assigned role descriptors and the owner user's role descriptors.
With respect to how you want to manage the user / how users create API keys there are several approaches... and it depends if you are using automation, your overal maturity etc... plus your overall security architecture / posture / philosopy. Who can / can not create API keys with what privileges is very use case dependent.
With respect to SSO users creating keys, yes that is an issue if they are disabled etc. that key can not be updated.
Personally I am not a big "Update API Keys" fan (there are valid uses cases), I prefer (preference) is to create new and rotate the keys which may or may not work for you, (understood that could be painful)
I have sophisticated customer where end users submit a PR / Github action, and their key shows up in a corp Secrets Store... a user never logs in directly to create an API key.
Generally, I see users use a "tightly managed" Native Realm user for API key creation.
But yes in basic the User that creates the key needs to have a Superset of the privileges that the key needs.
Hope that helps a bit....