You can enforce at the org level to only allow actions pinned to hashes. You can also choose a small whitelist of actions to allow.

I used to think whitelist could be a partial solution. But after Checkmarx KICS got compromised I can't see this working. I would've considered a well-established brand, in security industry of all places, to be in the whitelist.