[Duff]

Unless you're a really small org, devs and sysadmins have different roles and need to have distinct privileges to prevent them from stepping on each other. The bigger you get, the more important this is.

You have a few things from an internal control POV that you can do to help prevent "bad" things from happening. Examples include: privilege separation, change control, dev/test/prod environments, scripted deployments, automation, etc.

When devs bitch about not having the privileges they need, the biggest issue is usually communication. The SAs work for a different Director, and there is an adversarial relationship. Fix that, and most of your problems go away.

[Drbble]

Fun fact: Amazon and Microsoft have done "devops" since before the word was invented. Google and Microsoft do not. As usual, the correct answer is "don't hire idiots" and "do have clear policies, tools, and audits", not "don't allow person X to touch machine Y"