Copying and providing proxy access are process controls. You discipline people for that.
No, it's worse than that. Firstly, they are efficiency impediments because they require workarounds, and moreover, they obstruct the deployment of fine-grained permissions ala POLA because users still need to be able to do something to do their jobs. Secondly, training users has never worked and will never work, particularly when such discipline conflicts with the need to do their job.
There's a reason capability-based security tokens are gaining traction with online web services at the expense of traditional wall-garden authentication scenarios: they are more composable, more fine-grained, and most importantly, fine-grained security authorizations are largely invisible to users.
You're demanding something perfect and rejecting anything that doesn't measure up.
No, I'm demanding that administrators not be able to express policies that aren't actually enforceable.