It's not really the developers installing their own toolchain you have to worry about here, though. The folks working on the official builds and deployment should be far more aware of what's happening, because that's what has to be supported. If you're letting B&D do things willy-nilly, that's a serious business problem.

I aware they're often the same folks (DevOps), but your senior engineer and/or project manager should be watching what's going out.