Access to anything using root passwords is a Bad Thing(tm), so Policy-Kit comes to the rescue. Having never used Policy-Kit (polkit-d), it was always something disabled in order to limit the number of extraneous processes running on a server/hypervisor system. However, in this case, it comes in handy.
[libvirt Management Access] Identity=unix-group:libvirt Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes
From there, just make sure all of the VM admins are in the “libvirt” group.