but it’s possible, right?

This is one of the fundamental differences between IT security and IT operations (or a difference between haphazard IP operations and properly managed IT operations):

web dude: “I need you to give a development service account access to a staging environment system for me to get a project done.”

sec dude: “Umm, no, you need to use a staging account in the staging environment.”

web dude: “Are you saying no because you don’t want to, or because you can’t do it?”

sec dude: “I’m saying no because that’s not how we manage and operate our environment.”

web dude: “But it’s possible, right?”

sec dude: *sigh*

It’s one of those “always painful” parts of what we do… Yes, it’s possible. It’s also possible for me to clone my HID card and leave them scattered in the parking lot just in case someone gets stranded and needs a warm place to wait while help arrives. It’s possible for me to open up the firewall to allow everything in and out. It’s possible for me to give everyone admins rights to their machine, go home, unplug my phone, and ignore frantic calls for help when things break. Yes, it’s possible, but it’s illegal/prohibited/stupid.

Further conversation can go down the topics like the difference between the right and wrong of most crime versus the right and wrong of digital practices/security; or how layered protections that go beyond the level of knowledge by the web dude in the above example will succinctly quell his protests (he doesn’t know I limit accounts to certain servers); or how policy is enforced, etc.