I don't think that's true. In the corporate world, Slack is authenticated with AD/SAML/etc. and Slack has no idea who is changing passwords on that backend system.

The reality is that IT administrators are the root of trust at all organizations. This new feature doesn't change that.

The admin just changes the email address than does a forgot password recovery. You dont need SSO/special integrations. You can do this on a vanilla slack install to any user.

IT administrators may handle the root of trust, but IT administrators are closely subservient to management. Management, in the business of control, knows this, and pushes at many opportunities. In the US courts, management whim controls any asset, not de-facto key holders.

From a technical perspective, yes, though of course not a legal perspective. Take certs signed by an internal CA for example; as far as end user devices are concerned, the root of trust is that CA, which is presumably configured and managed by your IT staff. (Or sysadmins or whatever the role happens to be at your company.)

It’s of course possible to limit administrators’ access to certain systems, but ultimately the mechanisms to do so are themselves probably set up by your IT administrators in the first place, so in that sense they’re still the root of trust.

If you're using SSO, which almost every big customer does, you can usually do a password reset in the SSO itself.

Also I'm pretty sure a Slack admin can change a user's email address, at which point they can trigger a password reset.

It does email the person you made the change though. If you control the email system, then you could do it silently.

bingo. The admin just changes the email address than does a forgot password recovery. This works without SSO/special integrations. You can do this on a vanilla slack install to any user.