Ansible and Corporate security

Was admittedly poking my nose in my colleagues' troubles, when they were describing setting up Ansible on a Go "CI Server" which required to SSH to our WebSphere Deployment Managers. Cos as you know, Ansible doesn't use a server-agent topology like Puppet does, but instead uses SSH keys. To put it pictorially:

Trouble is, Ansible must SSH as "root", and Go agent must run as "go", meaning you have to SSH as a different user. This means SSH keys stored in the "root" directory to avoid logging in each time, which is a breach of security! This sparked discussions of actually getting a "root" user accessible by us (which no sane security team is gonna allow). It actually makes sense to get sudo access for "go" or whatever we decide on the CI server, but we've yet to work that out.