Well, first take a step back and ask yourself what process do you have that prevents an employed rogue employee from doing something malicious? And then ask the obvious followup, what powers does a soon to be fired employee gain that lets them bypass those processes?

If the answer to both of them is nothing then you've got a problem.

---

Well, first your question has a frame-challenge problem. Most SWEs are like a factory creating tools that an end user can then use/consume. You don't want to be in a situation where if there's a power outage in the factory then all of your smart lights stop working. The amount of people that would need sudo to customer-related machines is extremely low and so trivially they wouldn't need to be fired with no notice.

Sticking with the frame-challenge problem. There are many non-sudo activities that an employee can do. Literally their sudo access could be revoked no-notice and then they're given time to do knowledge transfers / pass off their on-call rotations / etc. For most of these layoffs the individuals are still employees for the next 60 days (WARN Act has a 60d notice period, this is why all the severances are worded so weirdly in that the employees get 60d of pay and then a lump sum of X. The lump sum is severance, the 60d is salary by-law -- they can't be fired yet).

The `sudo` command itself posses a problem for separation of duties but an invocation of it could be blocked without a review from multiple other people (perhaps that list is filtered by not-to-be-fired employees). It could also be that the command is set by one person (i.e. copy data) and the parameters are set by another person (i.e. machine1, machine2) and this can be done ahead of time (i.e. a template workflow).