Even if you do mixed mode, it isa good idea to eventually disable sa.

So after the fact you could:

1. create another sql login with sysadmin, whose pwd is stored in your passwrod vault. 2. disable sa.

This could be done centrally against many servers via a powershell script (enter password interactively).