Once an automation is created by a citizen developer, are there hardening / production-ready steps that should be required?

If the process is built for self-use, hardening is typically not recommended because that restricts the extent of any adverse action to a single user. If the automation is going to be used by a group of users, hardening is recommended. This can be achieved using functionality provided by Workflow Analyzer which indicates the gaps in any non-compliant code. Rules can be configured in such a way that only hardened code can be published to the Orchestrator for broad use.