In my line of work, we've got better things to do than defend boxes against incompetent engineers. If you've got a logon to the box, you should be trustworthy enough to know what you're doing.
That never works. Engineers are not SysAdmins, and rarely are they trained well enough to mimic one.
On shared machines, no one gets root (or sudo) unless they are managing that box and are responsible for it. So, everyone gets sudo on their desktop, and only the real Admins get sudo/root on the development servers. If someone can prove a real need to run something as root, and once we in IT can verify that it's not a security hole, we generally permit only one exact command line to be run via sudo. If they cannot distill their need to a very specific command (using absolute paths, including any arguments) then we reject it.
This is not a BS policy; it was derived from real events. Despite what the engineers around here would like to believe, they aren't generally smart enough to manage a box by themselves. It's been tried, and we refuse to take over any machine they managed without a wipe/reinstall of the OS.
"Oh but the whole build environment is setup on that machine, we'll have to do it over again!" Tough titty, learn to do it over again. If you were a good engineer or programmer, you should be able to find a way to make it not as hard next time. Whats that, the guy who set it up left the company? That sucks, guess you need to figure it out anyways in case your box breaks.