Policy creation: who's in the driver's seat?

Well I am pretty much the ASM administrator at my company, or rather it belongs to my team, which is defined basically as a Perimeter Security group. So we mostly deal with network security, but this landed with us years ago when it was TrafficShield. I took it on from someone who left about 2 years ago and my background is mostly in network and systems security. Most of the time I setup the ASM and get the policy in learning mode in our test environment and then take time with the developers/application owners to go over what was learned in the policy and what I should accept. The whole process from test environment setup to production implementation takes about a month on average. I am currently working to define and document a process for all of this so that I can hand it to basically anyone on my team to work with a project for a new application. As well as documentation for the developers on suggested testing procedure, how ASM works, what it blocks on, and why. The problem I see with just handing over policy management to application owners/developers is that at least in my company they are not very security minded, and they just want to make it work and get it out there. Not to say they would purposely turn something off that they knew would create a security hole, but a lot of the time if you are not dealing with security on a day to day basis you don't necessarily think it all the way through, just like anything else.