well, I mean, there's a review process too, if it's done right? Something business critical (like code, keys, and I'd include DNS records) should still need two pairs of eyeballs and a process before any changes are made.

DevOps doesn't necessarily mean unrestricted control.