At most large companies, IT sets the policy and developers are required to work within that policy. I've worked at about 10 jobs. The only one where devs could write their own ticket was a startup
IT doesn’t have any involvement when it comes to S3 buckets at any company I’ve seen. Anything in a cloud tenancy is devops acting with autonomy. Sometimes they have a security person review it, but many companies don’t do that, and the ones that do have way more moving parts than their security engineers are capable of reviewing, so stuff gets through.
Even then, it’s unlikely that a security person would recommend compartmentalizing this particular data set. Any application that needs access to some of it probably needs access to all of it, and it makes little difference if you compromise a server and get one key or if you get 30 keys. The trust boundaries haven’t moved, so it would increase cost without really mitigating any threats.
