Attackers often call the help desk instead of breaching it, talking agents into resets and MFA changes. Least privilege for support staff limits the damage.
Admin By Request for macOS 5.3 brings System Settings pre-approval, app blocking, and passwordless unattended access. Granular Mac privilege control is here.
Web Access Management gives security teams a policy mechanism for what users download and from where, plus a full audit trail of every decision and action.