Add the ability as Portal administrators for restrict the types of content that users can create. In effect this would be splitting the Content > Create, edit and delete privilege in the roles to different types of content such as web maps, layers, apps (which might be further split into Story Maps, templates, web app builder etc).
The reasoning behind this is that we only want users to be able to use properly managed, authoritative apps built by the GIS team to meet a specific business requirement. Similarly we'd also prefer them to only use authoritative data layers that we've uploaded to avoid multiple copies of datasets popping up across the Portal.
We've been running our Portal for about six months with a small number of core apps for users to consume and we've restricted user roles to not allow any content creation. We're getting close to rolling out more functionality starting with the ability for users to add corporate layers into the map viewer and then save and share their own web maps.
There doesn't currently appear to be a way of doing this without opening up the ability to also create apps and upload their own data. There may well be future use cases where we're happy for them to do this but for now it's almost as if Portal offers too much advanced functionality for our users - we have to support and document all of this, how do you explain that there is this option to create different types of app but we'd actually prefer it if you don't use it?!
The best we can probably come up with for now is to restrict sharing of content only to certain groups (rather than organisation wide) and then do some kind of regular trawl through users' content directories to remove any items which are applications possibly using the Python API.