Just about anything would be better than 100% root access and "employed measures to make sure that we never have unattended access to your servers", and there's no reason you can't offer two solutions.
You'll have to develop a cryptographic scheme makes sure that when your management service is compromised, it does not affect the servers the management server controls. We've done that work.
Say we have a daemon though - the daemon would require root access in order to create user accounts. If the management service is compromised, the user accounts can be created. That's why we've made it infeasible to access SSH keys even if the management server is compromised.
Say we have a daemon though - the daemon would require root access in order to create user accounts. If the management service is compromised, the user accounts can be created. That's why we've made it infeasible to access SSH keys even if the management server is compromised.