Active defense is another option. It is possible to set up a trap such that when certain canary resources are modified they trigger an action to disconnect and lock out the offending user account as well as alert admins to the issue.
98% of the time this will be triggered by an admin performing a task that just happens to touch that resource, but it is incredibly helpful the other 2% of the time.
98% of the time this will be triggered by an admin performing a task that just happens to touch that resource, but it is incredibly helpful the other 2% of the time.