Hi Chris,
Some API endpoints simply require a PAT to be used by nature. You can read more from SailPoint and other ambassadors about this topic in this thread:
Personally, I manage this constraint by creating a service account identity under a delimited file source for which I generate PATs under as if they were client credentials, that way I know that identity will not get offboarded and the PAT is not linked to a real identity. Then the login credentials for the identity can be managed in the organization’s PAM tool.