>JIT access should be the goal.

Individual privileges for specific things should be given access to instead of giving god access to a system.

I hear what you are saying but many, many people who have dedicated their life to this topic disagree with you. Onions have layers for a reason.

RBAC by nature requires a Creator. ZeroTrust networks still require gateways.

I'm not saying there can't be an admin who can create roles, or do some extra authentication to gain that privilege. I am saying that it shouldn't require assuming an all powerful user to do it. You should be able to do it from your actual account. This is good for keeping accurate records too since all actions are done by the users themselves. Yes, technically sudo can be logged, but it's bypassable by starting a shell.

Elevated credentials for said users segment access while still allowing the same user to access more administrative function.

Proper group / sudoers mappings can go a long way, but you still want that administrative break between access levels.