I think one of us misunderstood how the event happened.

In my understanding restricting local admin rights would not have change anything here.

The Vercel employee signed up for Context.ai (a third-party tool) using their work account and granted it "Allow All" access to their environment.

Maybe Admin-Managed Consent would have helped prevent context.ai access the environment but this is not configured locally on the employee's machine.

It is a cloud-level setting managed within their identity provider's administrative portal.