Enrolling Service Account with Admin rights gives full access to an assigned application or a VM. A ServiceAccount Access holder can perform critical actions like delete, update change settings, etc. without user intervention. For this reason, it's recommended that service accounts not have Admin rights.
Recommended Mitigation
Change Service Account role to restrict admin privileges
IAM misconfigurations
