Typically we’ll see some of both, even in one organization. So, an org may have a large “Duo Users” group that contains everyone, and then have additional groups with smaller memberships to layer on top of that.
For your example of protecting both Palo Alto and Citrix, assuming the same users have access to those resources they could be assigned to just one group.
For the pilot group example, this could be done with a group policy with the “Allow access” or “Allow access without 2FA” user policy setting assigned to the large “Duo Users” group on an application, and then an additional policy assigned to a “Duo Pilot” group with the same user policy setting set to “Require enrollment”.
If you do plan to import users into Duo from Azure or Active Directory keep in mind that synced users can’t be manually added to other Duo groups, so you’d need to create your groups structure and populate members in your directory and then sync all the groups you want to use for management into Duo when setting up your sync.