Where I work, we have kind of a hybrid approach. We recently created views for all our tables, refactored the code, and then removed all access to those tables from the service level account our application runs under. It has read permissions on the views, so we can still write ad-hoc queries, but all inserts/updates/deletes have to be done through stored procedures.