I'd make CLI, SEI and RTI available only in hypervisor (supervisor?) mode. CLI could (potentially) lock up the entire system (unless NMI is used for time-slicing/watchdog purposes), and so should not be allowed from user mode. If CLI is disallowed for user mode, it is no great hardship to disallow SEI, as well
Since interrupts are handled in supervisor mode, RTI does not make sense for user mode, and should be disallowed as well. For more complex interrupt handling, the handler should be split into a short segment that does the minimum amount of work and sets up a context for doing the rest of the work at a later time.
The BRK instruction could be used for software interrupts, and would be mostly (only?) used from user code. It should be given its own interrupt level, which should (probably) be the lowest of the 7 interrupt levels. User code would conceptually be the 8th level, and (obviously) lower priority than the 7 levels allocated for interrupt handling and hypervisor/supervisor mode.
Instead of (or in addition to) having an I flag, I would have 7 bits, one for each interrupt level, for indicating whether at least one interrupt has been posted for that level. With this scheme, the interrupts should be edge-triggered.