Question posed by customer: What prevents root from su'ing to a domain admin account?

I believe I once knew the answer to this basic question, but for the life of me, the answer is gone and the path to logical evaluation has been washed away.  I am an AD guy, and after deployment of VAS / QAS lost access / interest in keeping access to a unix host to even test out such a question.

User A logs in to Unix host with unprivileged account.

Thanks to the magic of Unix RBAC/Sudo - customer su's to root.

What prevents root from su'ing to a unix enabled account in AD that also is a member of the domain administrators group and usurping their privilege without being prompted for a password?   Same question - for su'ing to the builtin administrator account for the domain?

I know there must be a traffic-cop mechanism - that stops such a request, but what is IT DANGIT!

please and thank you...