Recently we had the case that someone went into a sub-account and reset the secret for an API key in order to get access to it in order to update some of the templates via the API. This same API key is used for our production processing.
As only 1 API key can be kept per sub-account at the moment, there is also no work around except sharing the key. In our case this was done but the person lost it/deleted it somehow and didn't really think about the implications of resetting the secret. This caused our production API key to be invalidated and the IP to be blocked for accessing the API too often without valid credentials.
The debugging of this issue was rather difficult, as we only noticed the IP block but did not spot the initial errors. Having an audit log next to the API keys which had shown "Secret was reset" by XY with a timestamp would helped us resolve the issue much more quickly.

In combination with potentially having multiple keys per sub account at some point it might also be good to include things like "New key was created by ..." in a more global log per sub account.