You are sistematically ignoring the title of this subthread.
The "access control" thing has a solution, and it's not deep packet inspection, it's 802.1x.
The "traffic shaping" thing has a solution, and once your user is authenticated with 802.1x, you can identify their traffic and mark their packets and shape it so it does not mess things for himself and others.
If you have a real-world big organization, you shoudn't snoop people's bank account passwords (THAT is what your deep packet inspection is doing, anyway) so you don't incur in a HUGE liability (bank auditor inspecting user laptop: "no viruses or trojans, let's check the bank certificates... whoa, a fake one, not in my list... who emitted this? ah, a MITM box, whose box? aha! they snooped the password. hi, legal department, I found someone for you to sue." -- true story)