We have the same requirements here.  We're doing a few things to insure we're compliant:

1.  Seperation of duties.  Developers can't change ANYTHING in production.

2.  Set up a trace to monitor all metadata changes and permissions changes.

3.  Set up a trace to monitor all connections outside of app and web server pairs.

4.  Lock down security on applications to only permit needed access per application context.