• Regarding vendors who support a client owned server, or clients who lease a vendor hosted server, there can be an account setup with elevated permissions that you enable or disable for them as needed. However, they don't really need sysadmin membership just to deploy objects or run DBCC commands. That requires only db_ddladmin or db_owner membership. They don't need permissions that grant control of the server.

    As for things like 3rd party applications or monitoring tools, they don't need sysadmin privilege at all. They just need a "poweruser" account with: data reader, maybe writer, view server state, showplan, view schema definition, and that should cover it. If their software is designed in a such a way that it just won't perform it's normal daily functions without membership in 'SA', then that calls into question whether the developers really know what they're doing. You don't want someone or something with less SQL Server knowledge than yourself running roughshod over your server.

    When an organization is evaluating 3rd party applications, that should be a primary consideration:

    How much privilege do they require over the server for their software to be functional?

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho