Some rant about trusted computing
Instead of defining "software" and "physical" constraints, define multiple permission levels. Require different keys/pieces of hardware/secure whatevers to activate controls. Consumer end users get all the keys. Corporate IT departments split up the keys, and give some to the end users. Make the keys standardized doodads in brightly colored plastic cases that nest, so you can easily keep track of them. Include some functionality to register and de-register a key for a particular permission level, or to totally wipe the machine clean and start over.
Unbreakable security is impractical without infallible storage. For as long as hard drives fail and physical media is subject to errors, replicating physical analog copy protection (that is, where there's an instance of a thing and that's it, that's the thing) is dangerous and stupid. But if there's a way to copy a pattern of bits, there's more than one way. Bang! The whole thing falls down. So, if hardware makers want me, as a consumer, to accept any form of unbreakable physical security, they must 100% guarantee that my data will not be lost because of the security measures.