the CTO is accountable for both the Dev and the "Dickhead"
Least privilege security is to protect yourself as well as from more malign threats.
Even in the good ol'days when my role was almost entirely performed with admin rights I had a healthy does of, don't give myself the option to mess with production if I can help it.
As for giving a newbie dev production access, with production examples, and clearly no supervision is unthinkable even then. shoulder surfing their activity, answering questions, and perhaps even setting up their environment for them avoids many unnecessary upset and complexity...
INHO story is highly plausible even if not true and dev was fall guy to divert from sackable CTO stupidity.