Enable IT Admin to determine who can publish to the entire organization
Let the IT Admin determine who can add publish content packs to all people in organization (using alias, DL and SG)
Looks like the latest version (as of Jun 2017) now has the feature to specify which groups can publish to the entire org. To take it further, the admin (of PowerBI, not the workspace) can specify which security groups the workspace can be published to, and the app and/or content pack published can only be viewed by those security groups. This can strongly increase governance capability.
There needs to be an option to specify which security group can create app workspace. Currently, any pro license user can crate app workspace, which means anyone can publish an App. Yes, we can turn off the publishing to entire org, but there are big enough security groups that people can select to publish to.