Admin By Request for macOS 5.3 brings System Settings pre-approval, app blocking, and passwordless unattended access. Granular Mac privilege control is here.
Web Access Management gives security teams a policy mechanism for what users download and from where, plus a full audit trail of every decision and action.
Over-provisioning at onboarding and accounts that outlive the contract are two failures temporary staff create. Both leave privileged access open to attackers.