Short answer: What Chris S said: See "Our security auditor is an idiot, how do I give him the information he wants?".
Long answer:
Some of what a "SEO Guy" needs to do might require server access -- for example, installing optimized mod_rewrite rules, adding custom 404 pages, creating friendly redirects (and/or optimizing existing 3xx redirects), etc.
None of this is something that you can't do for him, and none of it is black magic trade secrets (he's going to make these changes on your server, you could diff the config file later and see exactly what was done).
Because of that I personally don't see any need to give them access to make changes on the server (a read-only account sure, if you want, but no ability to affect changes without going through your company's approval process).
My advice:
- Say No.
Be proud of your No, for you are on the side of good, and righteousness, and stability of your environment.
- Explain WHY you are saying no to your manager/supervisor/whoever is in charge.
Pretty straightforward: "It's a giant security risk, he can just as easily give us his changes to push live so we can audit them first, yadda yadda yadda.".
If you present solutions that still let the SEO guy get his job done while protecting your environment, and your higher-ups aren't insane, they will probably back you on this.
- Explain WHY you are saying no to the consultant and give him the alternate solutions.
If it's a deal breaker for them let 'em walk. There are tons of SEO consultants out there...
If Management tells you to give him access anyway get that in writing. Issue a memo outlining the risks, and get someone above you to sign off on those risks (this is all about protecting you in the event this guy blows up your server).
You should also insist that the consultant sign something stating that they will be liable for any damages if they disrupt the stability of your environment (which is all about protecting the company).