Lots of enterprise setups have complicated RBAC/ACL/audit setups where sysadmins/DBAs are only given the bare minimum permissions necessary to complete their required roles. I seem to recall an article from a while back about Google changing some policies after a sysadmin was found to be accessing private user data, to require additional oversight/signoff, or maybe even active observation. Unfortunately, I can't find the article I saw it in, so I may be mistaken.
Technical measures and policies can go some of the way, but I think protecting against a motivated internal attacker with some level of elevated permissions is going to be a tough thing to achieve.
Technical measures and policies can go some of the way, but I think protecting against a motivated internal attacker with some level of elevated permissions is going to be a tough thing to achieve.