Also if you are forced to comply with an unreasonable request, then give them the bare minimum required. For example, keep in mind that the 'SA' account and SYSADMIN are not the same thing. 'SA' is just a SQL Server account, and what exact permissions it has can be determined by, you, the DBA.
You can drop or rename the original defaul 'SA' account and then re-create it using access and permissions using your own discretion. In the example below, we have altered the 'SA' account to be more of a Power User who can query any table and do things like view execution plans or run traces, but it no longer has full server administration (SYSADMIN) privillages.
alter login [sa] disable;
alter login [sa] with name = [sa_bak];
create login [sa] with PASSWORD = 'wh@t3v3r', DEFAULT_DATABASE = master;
grant alter trace to [sa];
grant view any definition to [sa];
grant virw server state to [sa];
create user [sa] for login [sa];
exec sp_addrolemember 'db_datareader', 'sa';
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho