Restricting ssh access for shared software accounts

We have passwordless login on all hosts through kerberos. We have user accounts and shared accounts - all (host and sudo access) managed through LDAP (FreeIPA by RedHat). Now if we give shell access to a human user for a shared software account on one particular host (this is done through IPA sudorule only) which we have to sometimes, the human user can ssh to some other host where that software account has access as that software account, but the human user was not granted access. To illustrate: * human_user can sudo as software_account because it has access:

-> human_user@host1.com: sudo -u software_account -i
-> software_account@host1.com: ssh host2.com
-> software_account@host2.com:

* human_user was given access to software_account only on host1 but now it has access to host2 also since software_account has access to host2