If you want continuous password management by teams, you could consider using dynamic target groups for privileged accounts. This could be based on, say, the value in the "descriptor 1" field of the target account. Then create a credential management role for password management (or use the existing role). Then create credential management user groups (not to be mixed up with access management user groups) for the different areas across the enterprise. Each user group contains the password management role and the corresponding target group.
When adding new target accounts, users need to be disciplined and add the correct text string to descriptor 1. If they do this, then only their team (and system administrators) can subsequently view the password or update. If they get it wrong, then only system admins can view the password, and a system admin would need to update the descriptor 1 field to make it visible to the team again.
Alternatively, you could give teams the permission to just create target accounts, but not manage them. Then you may not need to worry about scoping via the descriptor 1 field. Standard access policies would be used to view the passwords. This may require system admins to set up the access policies. Note, I haven't tried out this variant, so may require some tweaking.