In previous engagements where this has become a concern, we have implemented a system similar to what you described. This is especially true in virtual environments as you can isolate a VM on the management network and control/audit access through that layer. Borrowing from the book of Mitch Gram:
1) Create a private management network in the virtualized environment that will only be used by and Windows OS instance and the management network of the Nimble array.
2) Create an AD integrated Windows VM with two network interfaces, 1 in the primary management network and 1 in the private management network created in step 1
3) Enable their syslog infrastructure to monitor this windows instance.
4) Create a policy in their GLBA / SOC audit controls that states that users accessing the Nimbly may only do so by first accessing the VM referenced in step 2. This log-in will be tracked by a syslog event of an AD authentication to this OS. Also define in the policy that users will log in their internal control systems when they accesses this OS/Nimble array and for what purpose. The audit procedure is to run a report to compare the internal control system logs with syslog AD events to this OS and confirm 100% match.
Hope this helps! If you do go through an NDA, remind the customer that any future updates are non-disruptive and inclusive under their support agreement (no cost). So they can deploy now and take advantage when things like RBAC and syslog are released. If this is a time sensitive deal, I encourage you to engage with your local sales team to discuss the timing of these releases.
I wonder if the following could also be a viable option in certain environments for ongoing admin duties?
In a virtualised VMware environment, configure the vCenter plugin to manage the Nimble array and do not share the Nimble Admin password, thus forcing ongoing administrative activities to be performed via vCenter, which in most cases is plugged into AD and thus can control access. Further VMware user account policies can control which VMware admins can perform storage related activities. I am aware that only certain activities can be performed via vCenter but standard activities like expanding volumes, creating new ones, snapshot scheduling and cloning restores which probably form 95% of main activities you would perform on a Nimble in an operational environment. Again, not the most elegant solution, but it can certainly address concerns in a security conscious environment, albeit temporarily.