It can also be a case where the IT or other departments should have ZERO access to the systems.
Andrew,
Do you typically get asked by the end-user (owner, upper management) to restrict access, or lock out other departments? If so, do you ask for that to be put in writing? Do you hand over all credentials and configurations that you created to someone within these organizations?
I ask because I have worked with, and sub-contracted for, a number of integrators that believe that they can restrict access in these ways to avoid service calls / service issues (when the customer is on an MSA) or to limit the customer's ability to choose another integrator. I always found this to be odd. I have always been of the opinion that once the system has been sold to, and paid for by the client its their baby. I will do anything the customer wants as long as the request was within my SoW and signed off on.