Tony Davis (Blog) wrote an interesting post (SA no more! - ha!) about users, developers, and especially third-party applications requiring sysadmin or sa login access. Tony makes an excellent point: "Ultimately, the business needs the application to work. The quickest solution to get the application into production is often to grant sysadmin privileges to the application login, in the production environment, and hope that the auditors don't notice."
One solution is security testing. There are a couple ways to conduct security testing, but one relatively painless way is to create a SQL Login with the Development environment permissions restricted to mimic Production - if you're running Mixed Mode security. Developers can change the connection string to use the SQL Login, and then conduct regression / unit tests.
If you're not running Mixed Mode security, you can create an Active Directory login and restrict the permissions on this domain account. Developers can then login using the test domain account and conduct regression / unit testing.
Security testing is essential and should be done as early in the development process as possible.