Of course I do not know your entire setup, but I can comment based on your original question as best I can.
The number of AEPs is irrelevant here. In the most generic sense, Isolation happens via policy at the EPG level. This is to say contracts and filters. As a recap (you likely already know, but just in case), any EPs in the same EPG can communicate without any contracts needed. Any EPs across different EPGs must have a contract that allows communication.
There are some other knobs that can play a role here too.
It is my guess that either you have a contract in place that allows DMZ to talk to Production and you just don't know it (such as the use of vzAny contracts under the VRF). Or you have put the DMZ and Production EPGs into what is called a Preferred Group (which removes the need for contracts for its members). Or you may have simply disabled contract enforcement for the entire VRF altogether (maybe by mistake).
I would check those things first. I'll wager it is one of them, or something along those lines.