[Timon3]

I understand your perspective, it's absolutely right to insist on security in a corporate environment. I have also seen the other side as a developer and saw it happen a number of times. Understanding why it seems tempting to developers is probably the best way to fully get rid of it (although you might be doing so already, probably no way to fully get rid of the problem). The reasons I've seen usually were:

- Undocumented or unknown processes. Many enterprises have a discoverability problem regarding almost all information, and as somebody that frequently required some special support for my work, it often took shockingly long to find a person who knew how to find the information in the respective intranet. It's important that not only are the services available, they also must be discoverable and known.

- Complicated processes. A portion of developers that require these services are using them for the first time, or have used them without fully understanding and considering the implications. If the process for requesting support is too complicated (e.g. requiring a form where you either require very detailed information without assistance on how to find it, or - the worst case - a form with fields where the people responsible say "oh, just fill it with random stuff to keep going") it will make some people choose the less secure way to get going with work.

- Long processes. If a developer wants to use such a service and it takes weeks to months to receive support (e.g. overload of tickets, or the only person responsible is on vacation) it sometimes leaves little to no choice.

But again, definitely not advocating for circumventing security!