The solution is replicating the DB and scrubbing the PII. Then the dev can go wild.

This is a solution oriented approach instead of a lazy ass covering approach which I think the GP was referring to. The job should be finding risks and then figuring out how to work around those risks. Very rarely are there no solutions, most of the time it is due to general laziness or in aptitude where someone can find risks but they do not find solutions.

> The solution is replicating the DB and scrubbing the PII. Then the dev can go wild.

In this particular example, often this isn't remotely feasible, either from a business logic standpoint (I can think of plenty of fintech examples), lack of qualified DBA/sysadmins, network admins, cloud cost constraints, methods and controls to ensure to auditors that devs cannot access production data - none of this is trivial, and often to the dev it seems "silly" they may need to wait a few hours for something they could technically access in a few minutes, but acting like these solutions have no tradeoffs or are always worth doing suggests a lack of knowledge as to how these things actually work in a business and on a development team. It certainly isn't always laziness, and I'd even say it's not laziness that often at all.

In your example, I am not saying you need to give the dev access to prod. But you should be working with the dev to figure out why he needs access to prod and figuring out what needs to happen to make the end goal happen. Getting read/write access to prod isn't the end goal, the dev is trying to accomplish something and they see direct access to prod as the solution.

My point wasn't that lawyers/security/IT/whatever shouldn't do their job. It's that their perspective should be focused on helping the company achieve whatever it's trying to do.