Very good question and one that I ventured down and with the ACC, it is another process on the host and it has the ability to inject files into the agent directory.
Given the separated roles, the CA APM admins request the system admins (two or three different departments) to deploy agents. We provide instructions, environment and the zip/tar/directory for the agent to the specific department with a list of servers within a change request. These artifacts are reviewed and we start to deploy to development/test then a week later to QA/Stress then the results are investigated and a production impact report is authored. Once the report has been reviewed by the change control board, and we have permission to deploy, then our change request tasks for production are approved so the system admins can deploy.
Why make it easy?
Each time I've tried to start a proof of concept on deploying the ACC, I get pulled to do something else. Was hoping to get enough time before we upgrade from 10.0 to 10.5 to see how the ACC will change things, how to instruct the various teams how to use it since I very highly doubt that they will let a non-system admin to deploy to a production server.
There was two options, to publish a custom version number for our epagent with all of our plugins, configurations and such or to publish a version number for each of the plugins. We have opted to have a single version number for the agent with the understanding we have only one epagent for the three platforms (AIX, SLES, RHEL). So if we need to update any of the plugins or configuration, we are going to deploy the full agent not just a single file.