Yeah, that’s the key. It’s not Ansible-specific. The way you do that is to create a file in /etc/sudoers.d, say /etc/sudoers.d/15-thisuser that looks like this:
thisuser ALL=(ALL) NOPASSWD: /usr/bin/systemctl poweroff
Defaults:thisuser !requiretty
That will allow thisuser to run sudo /usr/bin/systemctl poweroff without a password.
More generally, a site designates an id (say, ansible-unchained) for running Ansible on the managed nodes, sets up public/private key pairs for that id, and enables that id with full password-less sudo capability via /etc/sudoers.d/<somenumber>-ansible-unchained that contains:
ansible-unchained ALL=(ALL) NOPASSWD:ALL
If you do that, understand and track that private key to the max: it is literally the key to your kingdom.