Even if your production stuff is in a separate account, that just helps prevent someone from accidentally screwing up production. To think that not giving your developers - the people who are creating code that you are putting on your servers and know the infrastructure as well as anyone - will prevent them from being malicious is just security theatre. It may help you check the box about being compliant with some type of standard but it really doesn't help you. If the developers program has access to production resources, they can gain access to those resources.