The AD Join for ISE is similar to joining a workstation to a domain. When you do the join, it is a one-time join to the domain and not binding to a directory using a service account. As long as you have permissions to make the join, that is all that is required. Once the machine is part of the domain, that account is not used anymore...
With one caveat on use cases:
If you have the desire to use Passive Identity in your deployment, then ISE can query domain controllers for events to determine the identity passively. For that you need to configure it properly and have the credentials presented via WMI or Agent. For that, please review the permissions required on that account and then configure that separately.
When ISE is joined to the Active Drectory, it creates an object in the AD, the account should have the correct permissions to create that object, however, once created, the permissions that matter are the ones from the object, not the account.
In the scenario that you are posting, creating the object with a privileged account and then changing the permissions from that account should not affect as the object would be created with the privileged account.l
CCIE #41132 Security