The passwords for relational connections in PowerCenter can be changed using "pmrep updateConnection".
For relational connections in the domain you can use "infacmd UpdateConnection".
In order to update the passwords for repository databases, you will probably need to use one of the "infacmd isp Update..." functions.
Good luck with that. I don't envy you for this job; it's always very helpful when people invent policies without understanding what trouble they cause...
Best would be to have an agreement to have non expiry application specific service account passwords and have it updated. There is always an exception to any policy if the constraints are expressed.
Only option is to update the connections either commandline or via workflow manager manually.
Thank you for your suggestions !!