Slight contradiction there. Only people with account has access to update/approve objects in Service Desk. If you don't trust the people with access to update in Service Desk, you shouldn't be allowing them to approve objects in Service Desk.
SP account would not have enough access to change things so it will have to be an application account.
SP account is more or less for end users to create an Service Call and check on it. You need an account to change records and I am sure approval is counted as a change.