[Agingcoder]

In my experience ( as a developer) this doesn't work in practice, since mirroring an actual, complete bunch of production systems in a large company is a difficult task unto itself! More often than not, you end up with a staging environment as per the security guys recommendations, but which is unfortunately barely usable.

It also makes investigating difficult bugs extremely difficult (staging tends to be slightly different from prod, smaller as well, different hardware, network, etc) since you can't reproduce them, and your prod team can't help you much, since what you need is actual full box access to poke around.

I agree with you on the compliance point.