HashiCorp Vault - Superusers

I have set up HashiCorp vault in our environment with ldap/active directory and the ssh secrets engine, providing users with a signed cert to access linux servers.

I've set up some AD groups, for example:

Access - SSH Admin Standard # Gives access to standard linux servers via "ssh-admin-standard-policy" Access - Vault Admin # Vault admins with super user access via "superadmin"

ssh-admin-standard-policy

path "ssh/roles/*" {
  capabilities = ["read"]
}

path "sys/mounts*" {
  capabilities = ["read", "list"]
}

path "ssh/sign/ssh-admin-standard" {
  capabilities = ["create", "update"]
}

and superadmin

path "*" {
  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}

Now when I login as a user that has both AD Groups I get:

➜  ~ vault login -method=ldap username="clarg"
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  
token_accessor         
token_duration         768h
token_renewable        true
token_policies         ["default" "ssh-admin-standard" "superadmin"]
identity_policies      []
policies               ["default" "ssh-admin-standard" "superadmin"]
token_meta_username    clarg

But when I try to do superadmin things, I get permission denied. When I googled this, I found that the Vault, the most restrictive policy wins, in this case the "ssh-admin-standard-policy" policy which restricts ssh/roles to read only.

My question is how am I supposed to manage superuser access? For now I am using the root key while I am setting it up but I want to delete that.