We are using dynamic arp inspection on our 3750 switch infrastructure to make sure that the devices connected to the switches are making valid ARP requests. We don't really mind what MAC addresses the devices use, but it is very important that they only make ARP requests for the correct IPs (NB - this is not just an IP ACL issue).
For instance, we do not want a device to claim to be the VLAN default gateway IP.
We are successfully using DAI with pairs of MAC and IPs. The question is, can we use a wildcard for the MAC part of the pairing? This would simplify our user management greatly.