Hi there, sorry for letting this ticket sit unanswered - we discussed this in detail in a support ticket. A summary is as follows:
It should be possible to generate more than one access token per shadow customer. You can find more information about access token creation in a shadow customer context here. However, as you suspect, this does not create any kind of hierarchy with respect to access.
If you are interested in a more deeply-tiered hierarchy of access, which I suspect you are, then you would likely need to proxy another level of abstracted authentication within your own system (you own infrastructure).