Cybersecurity team staff exempt from device management?

Is this normal or even recommended for internal cybersecurity staff to use unmanaged laptops (not joined to domain, no MDM) so they are not hampered by the same security policies that they monitor for everyone else?

Is there a specific exemption for this that doesn’t flag this practice as a problem by external audits?

cybersecurity cybersecurity team device device management domain exempt exemption external flag internal joined laptops management mdm monitor normal policies practice problem security security policies staff team