I am firmly against this but for the sake of the engineers in our large org would love any additional arguments in favor of why we should allow them to have admin access.
I think it depends. I think it should be considered group-by-group and if the group is keeping everything patched, secure and not having security incidents then they get admin. a.k.a. trust-but-verify. If a group is not doing the bare minimum then, no. Liability must be on directors and above to keep each teams environments secure and there must be ramifications for leadership if they fall short of the bare minimum standards. This must include legal contractual obligations that are tied to stock, bonuses, both positive and negative. Do great things, be awarded great things. The companies SOC1/2, PCI and other documentation around audited controls must reflect this arrangement.
Each team or group must have security stats with their directors name by it if the goal is to open things up. But having a blanket yes/no company wide is a many-edged sword and will put the company in the bad spotlight either way. Too locked down? People will find creative ways in 3... 2... 1... and then you end up with a non-standard junk-yard in no time and you lose your most creative and intelligent people. Too open company wide and people will just do what people can do and Clippy will be embedded in every piece of software. i.e. malicious software modules
My personal preference would be to ensure everyone has plenty of RAM and CPU power then deploy a standard and widely accepted hypervisor that should meet the needs of most teams and let them deploy VM's. This hypervisor should be entirely capable of being driven by automation. Anything they do in their VM's or containers within their VM's must be 100% reproducible in the cloud(s) and in the data-center(s).
For teams that handle highly sensitive material, they get access to a compartmentalized Citrix farm or something like it. Maybe call it The Clean Room.
Every system and environment must have extensive auditing so that mishaps can be traced back to find the root cause and remediated. Any system missing the auditing must alert the security operation center and they must find out how that node obtained network access.
It's like making the client code responsible for enforcing database permissions.
The only valid argument in favor of doing this is if you have non-technical users and need to manage workstation configuration centrally so that you don't get drowned in technical support work.