You can use PMUL Shells pbsh or pbksh to run the commands without pbrun. 

Okay, so, no way to block the command without using pbrun, pbsh, or pbksh in front?
 

As a basic disclaimer, broadly restricting the ability to execute commands on an operating system can impact system stability and normal operation if configured incorrectly, so care should be taken we designing and implementing such controls.

Basic PMUL policies typically rely upon the user invoking PMUL client by using pbrun (or sudo, if you have chosen to  deploy/configure the sudo wrapper).

As Prudhvi has suggested, forcing users into one of the PMUL shells ensures that every command issued is evaluated by the policy server, not only those invoked used the client commands, so you could reject everything but your approved commands - you can find more information here: https://docs.beyondtrust.com/epm-ul/docs/pmul-shells

However, PMUL also includes the ‘Advanced Control & Audit’ (ACA) feature, which can be used to audit and control file system access: https://docs.beyondtrust.com/epm-ul/docs/advanced-control-and-audit. 

Given in Unix-based systems “everything is a file*” (*true enough for this example), ACA means that you can effectively restrict access to commands by limiting exec rights to it’s underlying file - or potentially all files within a directory.

Under a Role-Based policy, ACA rules are defined within the Script Policy section, so can be tailored for and targeted to your different user communities. Examples of the ACA syntax can be found here: https://docs.beyondtrust.com/epm-ul/docs/advanced-control-and-audit#aca

Hopefully between these options you can find something which suits your needs.