While in theory you might be able to do something with tags for some resources, for others that just wouldn’t be possible. You’d either need to just remove certain edit permissions from the admin users or live with the case that someone might make changes outside of Terraform.
For our developers we do the former, and only give them limited permissions to make changes - things like starting/stopping/destroying instances and taking backups, but not things that are more permanant changes (such as making a new EKS cluster or removing an ECR repository). The idea is that the developers have the ability to make emergancy changes, but everything else has to be done via Terraform.
For our admin users we do give them much broader permissions. However we expect them to not misuse this ability, making changes directly only if essential, and even then ensuring the changes are reflected in the Terraform code as quickly as possible. In the normal non-emergancy case all changes should be via Terraform.
One item that we have on our backlog is to proactively scan for config drift (finding differences between what the Terraform code says and reality) to detect anything that does get done incorrectly, but that’s not something we’ve had chance to implement just yet.
I would be careful about removing all ability to make changes other than via Terraform. There will always be situations where the Terraform change isn’t possible (e.g. because things are suffficiently broken to prevent Terraform from running) or is too slow.