Yeah this is a good tool, if annoying at times.

A better way would be to not allow user accounts to deploy anything in any sort of prod accounts, instead only allowing this to happen through CI.