We know that problem.
For us, a third party is in charge of installing agents, and if they install a gazillion agents with a script that has a faulty loop, or change the agent name arround a lot, that possibly*) takes up many licenses - eventhough the agents are never allowed to run any jobs, being not authorized in client 0 by the admin.
I say possibly because it did count as using a license in the old UI when there was still a license counter. On the other hand, I have been told by Automic that the license report tool that some (not all) of us have to use only counts agents if they executed at least one job, so agents that never were authorized by the admin would not consume licenses by that way of thinking. It's really not well designed or very clear in my view.
If you subscribe to the former way of thinking, yes, every agent that connects eats a license and a disgruntled employee with packet sniffer/replay skills can screw over your licensing audits.
I don't think the admin can truly fully prevent this, at least I have, fwiw, not found a good way.
You could run an SQL statement (SQL variable or some such) that finds agents without permissions (they come without R/W/X permissions in client 0, and thus while eating licenses, can't execute anything). You can look at table HACL, it has the read/write/execute flags (one or zero), and you need to join it against OH for all OH objects of OH_TYPE='HOST'. Then you can periodically delete those rogue agents (see what I did there?) from client 0.
Ultimately though, I think this is more of a legal issue. Hence, I suggest talk to your key account manager, get assurances on how precisely your licenses are meassured, and ideally have them clarify that a license is only consumed once the agent actually gets authorized (R/W/X permissions in client 0) by the admin. That way, you are safe and that's the way it should have been done from the start.
Hth,