Just like in the Mendix Cloud: require an extra authentication step (MFA) when monitoring/configuring/deploying the production environment of an app. This would be a good addition to have in the Private Cloud as well.
This gives more security and prevents accidental changes on such environments.
Solution direction: when setting up an environment, configure via a checkbox if an extra MFA step is required to configure the environment.