Regrets that I will not be on the call tomorrow as I'm testifying in the same .gov API task Force that Eve did yesterday. (Eve did a Faboulous job!)
I would add an X to the intersection of 95 (multiple AS) and #trust. I'm particularly thinking of what happens when the same API (e.g.: FHIR in healthcare) is used for a resource that might be accessed under both RO and institutional controls. Again, in healthcare, access to a patient-level FHIR resource could be under HIPAA TPO (no patient consent required, when the Client has certain attributes) or under HIPAA patient right of access (no trust is required as long as the RO specifies the Client.) In this example, the same resource could have two different ASs or the resource would be duplicated in order to work with a single AS UMA.
I believe this issue is not just for healthcare. For example, in IoT, a shared door lock resource might be controlled by the ASs of multiple tenants. When a RqP shows up at the door, they need to be matched with the AS of the tenant they claim invited them.