It always starts with "we just give developers in project access to things in project and it all be nice and secure, we will also have separate role for deploy so only Senior Competent People can do it.

Then the Senior Competent Person goes on vacation and some junior needs to run a deploy so they get the role.

The the other project need a dev from different project to help them.

Then some random person need something that has no role for it so they "temporarily" gets some role unrelated to his job.

Then project changes a manager but the old one is still there for the transition

And nobody ever makes a ticket to rescind that access

And everything is a mess