Your prospects are utterly bleak, I'd say.
If I understand this correctly, you only want the Access developer, to access SQL Server through Access and through SSMS.
You can set up a DDL trigger which throws here out if app_name() does not return whatever is returned for Access. But she can easily fake that in the login form to SSMS. Of course, that could be construed as a workplace violation, but it seems that you are a loser in the political game.
Then there is more heavy-duty solution: put Access on Terminal Server, segment the network so that she cannot access SQL Server from her desktop. This is a common advice for two-tier applications. But in this case, a developer and a lot of people who are lovers of Access? You know that better than me, but from what you said, I don't expect any success.
I think the best you can do is to review what permissions she needs. I know nada of Access, but reasonably she would need db_datareader/writer and maybe EXEC on the dbo schema. If she need anything beyond that, she will need to ask you to perform those actions.
Erland Sommarskog, SQL Server MVP, www.sommarskog.se