The following operations always require the user to enter the password or OTP:

Action User Type Password required?
Downgrade their access level Org Admin Always¹
Delete a business Org Admin Always
Delete their Precious Leads account Org Admin Always
Cancel their billing Org Admin Always
Invite a new Org / Business Admin Org Admin 30 minutes validity
Upgrade a user to Org / Business Admin Org Admin 30 minutes validity
Downgrade a user from Org / Business Org Admin 30 minutes validity
Delete their account All Always
Update the user email All Requires verifying old + new email

¹ If there is only one Org Admin, Users should not be able to downgrade their access level