Similar to what was implemented in https://issues.apache.org/jira/browse/SLING-12115 it should be supported to create ACLs without creating the according group/user but just defer that to external group sync.
By default now Oak in AEMaaCS is more lenient, i.e. it allows unbound principals in ACLs (using org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl.importBehavior = besteffort, https://github.com/apache/jackrabbit-oak/blob/52755d8ad5915c5cd3cb037b848036930e8297b7/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/xml/ImportBehavior.java#L44 and https://github.com/apache/jackrabbit-oak/blob/52755d8ad5915c5cd3cb037b848036930e8297b7/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.java#L266.