A similar discussion was held over here: https://community.servicenow.com/message/1133031 - and I'm somewhat in agreement with your Security team.
Because of the way Discovery runs, it needs privileged access to obtain details of a Windows host, be it via WMI, PowerShell calls or ordinary commands. If there's some way of permitting WMI calls to be made by a localised user that can be whitelisted from the MID Server's IP address, then best go down that route.
It's entirely possible Discovery will run using probes that do NOT require a high level of access, and as a result no domain or power-user access is needed. However, there's chance that someone will append additional probes or discovery pattern steps and these will fail as a result of insufficient privileges, so the recommendation is that the account has local admin rights (doesn't need to be domain admin) for unrestricted access to this information.
From a security point of view, it's possible to limit connectivity for this account from just the MID server(s), preventing the account from being abused.
For more info, point your security team at these two links:
Hope that helps!
