Deny users with inherited permissions to Azure Key Vault Service from modifying Access Policies.
It should be possible to provide role separation even from the highest Azure permissions (Global Administrators / Subscription Owners)
As of today, anyone with permissions to modify the service, can change Access Policies and give themselves permissions to Keys and Secrets.
Perhaps an extra level of Security linked to Azure Active Directory where only specified groups or users would have the ability to modify access policies.
This is extremely important to decouple admin access to access policies