Hi,
Various flavours of GRC all the way from Virsa days through to 10.1 have this sort of functionality - known as Risk Terminator.
To use it in it's preventative mode is a complete pain and every customer I know who has used it to prevent roles being generated with risks has switched off the preventative part ASAP.
If you can find an enhancement point in the code of PFCG then you can put in some custom code to do what you want. I would imaging a check before role save or profile generation would do what you are looking for.
It may be a sledgehammer to crack a walnut but at risk of promoting a fellow SDNer's company there may be something here that suits: www.xiting.ch/en
Colleen's advice on SU24 is spot on and is (IMO) the right way to do it and will hugely reduce the occurance of "New" auths.
Good luck.