It would be great to apply different permissions to entities based on whether or not the action is being made through a workflow or through the UI. For example, if you only want users to create Accounts through Leads, you could remove Add access from Accounts, but grant them Add access to Accounts when created through a workflow.