Hello @sam.minchin thank you for reaching out to our team and glad to hear your feedback on 2FA!
Even though we strongly recommend all users to enable Two-factor authentication, there is no mandatory restriction to force users to go through the process. Great suggestion here on admins having visibility over which users have already enabled their accounts.
As organizational controls would be a good next set of features, I have forwarded your feedback to our Product team.