Every DevOps/SRE/microservice article or book I've read makes the assumption that CI/CD and developer-driven deployments is the way to to go. My SaaS startup is preparing for a SOC2 audit, and a more Waterfall-minded manager is insisting (after going through two SOC2 audits at previous organizations) that production deployments for our core product must:<p>* every corresponding task must be in the "closed" state in JIRA<p>* be signed-off by the manager<p>* only DevOps engineers should be able to hit "deploy"<p>* deployments are only every 2 weeks.<p>How can this be the case, since we have proper controls like<p>* Pull Requests must pass tests to be merged<p>* Code review is performed with references to JIRA tickets on every commit/branch<p>* QA is performed in a staging environment<p>* Deployments/Rollbacks are automated and logged.<p>In short, shouldn't developers (or at least senior developers) be able to push deployment updates on their own?