You have fallen into a trap that I did some time ago. At least that is how it sounds.

A software vendor says "I need sysadmin/db_owner" or this software won't run"! I gave them those rights and ended up having to explain why one of them deleted a database they shouldn't have. Embarassing.

Now I ask the vendors what their application user needs to do and use a strict policy based on the application of minimum privilege. They don't like it (especially as most of the vendors don't really know what level of permission their user really needs!) and it makes me unpopular with some developers but then, they aren't the ones that have to pick up the pieces when they make a mistake.

The 'sa' account, sysadmin fixed server role and db_owner fixed database role should never be given out where it isn't strictly needed simply because they can do absolutely everything and privileges cannot be revoked from any of them.

It is always better to create a tailored account even if it means spending time on the phone treaking it until it does exactly what it is supposed to.