Kinda what I figured... but nice to have confirmation 😀
They do have access to the production server to read and write from various databases - but it isn't global.
That being said, the people in question are technically allowed (from a business perspective) to have read-only access to all company data; we mainly just didn't want them logging into production and running expensive queries. So I think the AD group might be the best solution... We can block them from connecting via specific tools in production (Office products, Management Studio, etc.) to prevent that sort of thing.
I was hoping to avoid messing with AD (our parent company controls our AD and they're kinda strict about it) but I can probably make it work.