A real world example was given in the article. If you see someone trying to connect as sa from a web server in the DMZ, that's usually a good sign (given good application design) that an attacker has compromised the web server and is launching an attack against the SQL Server. Now given that the web server is in the DMZ, it shouldn't be on the domain, which means you have to drop back to SQL Server logins. Now most folks configure their IDS/IPS to alert only. Meaning that attacks against SQL Server based logins would not be blocked by the IDS/IPS.

As to examples of where this kind of thing was implemented, if you search the forums, here, MSDN, and Stack Overflow (and on twitter, as I believe @BugBoi was implementing based on application name ~ tweets were around March 3).