Well, it is a process. When I was young I tended to be cocky and hard headed thinking my way was best, not because I felt I was better but because I wanted what I felt was best practice. But now I am old and cranky
But at the end of the day, software is an always changing thing, here today gone tomorrow. but the one constant is people. Today you have SSRS and tomorrow it could be gone, don't get hung up on a specific way of doing thing even if you honestly feel it is accepted best practice. Suggest kindly, work out the politics respectfully and you will gain allies now and any future recommendations you make.
Yes I give the service account read only on the data (this is where a datawarehouse/data mart/mini mart) might be important implementation so that you don't hammer your OLTP, but that is another topic) and execute on the stored procedure that fetch the data. that is it. Now I do not use this svc account (svc-SQLreports) for anything else, especially not as the SQL Service account.
Developers should only have dev instance but walk through this process with them collaboratively not something you impose on them. Your IT manager should have your back. Maybe a few select Sr devs could have access to prod. Also you should accommodate their needs also. Always say "Yes and.." instead of "Yes but.." For example could you provide them a refresh of dev server from prod (with obfuscated data) on a regular basis, or have different versions of the dev instance that matches a certain branch of work they might doing? etc
We have 3 instances, local sql server where I work on internal nodejs application, a dev instance that also acts as our qa server, then production. Nothing is pushed that was not tested by dev on local, qa folks on our dev/sqa server. All scripts follow a certain folder pattern
runs in local and is re-runable, then runs in dev/sqa etc