Even if you do mixed mode, it isa good idea to eventually disable sa.
So after the fact you could:
1. create another sql login with sysadmin, whose pwd is stored in your passwrod vault. 2. disable sa.
This could be done centrally against many servers via a powershell script (enter password interactively).