Hey Venjirai.
there are many reasons why this could be happening:
a) the tenant is using PIM and the affected users requested higher permissions (like Global Admin). As a result, this provides the uses that receive this higher Azure Role (Global Admin for example) with the System Administrator role on Dataverse.
b) Similar situation if the users have a higher role assigned in a permanent way (for example, Power Platform Administrator role in Azure)
The best advise would be to open a request to Microsoft for further investigation
Regards
