What you need to do is find a way to automate the way that the Deny Access groups UNID could get updated within the driver. Currently it is stored within a GCV in the driver object.
To make a change in a GCV, a driver restart is needed.
You could potentially track down the rules that reference that GGV and replace it with a Map token, that pulls the value from a Mapping table.
What this buys you is that Mapping tables are re-read on the fly, so you could (in IDM 3.5.1 and higher) give the Notes admin enough rights to just modify the attribute of the Mapping tables value in the driver set (Perhaps with an LDIF, he just runs and each time he makes a new Deny Access group, he has to paste the current UNID into the LDIF file and run a script that updates the table.
That may be a step better, but not 100% of what you want.