Absolutely--
Assuming for a moment that your SEPM groups are mapped to Active Directory OU's, follow these steps:
Create "do-nothing" policies for Application & Device Control and the Firewall (call them something like "Production Client Firewall Policy")
[Note - in the case of the firewall policy "Do Nothing" would mean using the default rule set-- don't put in a blank rule set or you may have problems]
Apply the "Do Nothings" to all SEPM Groups
Create a new "Test" group
Identify machines that you want to pilot App & Device Control settings and put them into the Test group
The machines in the Test group will still appear in the AD linked group, but from a policy standpoint their appearance in Test will take priority. Now create an App & Device/Firewall policies you want to test and apply it to only that test group. Similarly, you can upgrade the clients in your production (AD-linked) groups with the other components and know that they will inherit the "do nothing" production policies. After you're satified with the results on test policies just duplicate the change on production.
That's the 500 foot view anyway. I hope it's helpful!