You should have control and review process in place rather than imposing a blanket ban. You can your director that all logins with sysadmin prvilege will be audited, DBA logins will be added only after approval from a Manager, Audit activities need to be reviewed, DBA's cannot add/modify logins. In other words, securityadmin should be separated by sysadmin. All the best!