You do it the same way you protect the company from head of Sales running off with your client list, or the head of Accounting embezzling funds, or the Stock manager from running off with half the inventory, largely: Trust, but verify.
At the very least, I would require that all passwords for all Administrator accounts on systems and services under IT be kept in a password safe (either digitally like KeePass, or a literal piece of paper kept in a safe). Periodically you will need to verify that these accounts are still active and have appropriate access rights. Most experienced IT people call this the “if I’m hit by a bus” scenario, and it’s part of the general idea of eliminating points of failure.
At the one business I worked at where I was the sole IT Admin, we maintained a relationship with an external IT consultant who handed this, primarily because the company had been burned in the past (by incompetence more than malice). They had remote access passwords and could, when asked, reset the essential administrator passwords. They did not have direct access to any company data, however. They could only reset passwords. Of course, since they could reset enterprise admin passwords, they could take control of the systems. Again, it became “Trust but Verify”. They made sure they could access the systems. I made sure they didn’t change anything without us knowing about it.
And remember: the easiest way to make sure a person doesn’t burn your company is to make sure they’re happy. Make sure your pay is at least at the median value. I’ve heard of too many situations where IT personnel have damaged a company out of spite. Treat your employees right and they’ll do the same.