Lighthouse cannot be used with custom roles and some high impact roles like subscription owner. They probably need something like Virtual Machine Contributor.
You could create an alert rule or workbook to monitor for any unauthorized actions.
You might try a custom role with guest user accounts.