We had that same issue and so we had to move to using CyberArk so that we could have a method of capturing anyone having direct access to the production database. But you are correct, there is no way to provide what they want unless you use something like CyberArk. The way CyberArk works, is that you set up the database to have access only through a specified SQL account with a password. The only thing is, that CA will then rotate the password every time someone logs in to the database and the only way you can log in to the database is by accessing the CyberArk account, logging in as you (using your Windows credentials and being authenticated against Active Directory). So the website will give you the password for the SQL Account and you log in as it with the given password. CyberArk will then, after the designated time, change the password to that account so that you, or anyone else, would have to do that whole process again. And it has a spot so you have to specify why you are logging in to it when gathering the password. It can be set so you have to provide a specific change request in Service Now, etc. if using that.