But you can still restrict that. Make it so every access must be tied to a specific open ticket. Don't just say "well, this person sometimes needs access to a specific customer's information so they can have permanent always-on access to all customer information."
How do you know it isn't? The only claim was that there are many employees with acess to 'sensitive customer information'. That would be the case even if the employees could only see customer information associated with tickets that they had been assigned.
