As an IT guy myself, I would have (and did -- now retired) talked to anyone who would listen, including managing partners, and insisted on implementing best practices.
Then I would send an email to the whomevers and let them reject my recommendations for the record.
Business makes the final call. but I always covered my ass and had evidence that installations were to their specs, despite having been warned.
If the install was something they'd never actually have to manage, I'd change the admin password to one of my own and never tell a soul..
Later, when another tech from another firm came on site to do shit, I'd just tell them, "Dunno ... maybe a factory reset?"