How do we make sure that Operator of vault server cannot use admin's clients account (entity) to do something bad?

I’m a internship. Right now I’ve been assign to implement the SSH Cert. using Vault from hashicrop but in the authenticate part between clients (admin) and vault server that operated by vault server operator how can we make sure that the operator not going to use the admin entity to do something bad with the server because from my understanding the vault server operator have to be the one that create the user account right? and manage all policy of each client.

ps. if i misunderstands in some point please help me clarify that concept please thank you!

I, actually in my compagny “Admin role” is a role with a policy to change policy. All Vault configuration is IaC with terraform. All terraform code is in Gitlab and can be reviewed by the secure team. All Vault command are logged in Splunk with dashboard for the security team.
Of there, there is no root token.