Yes, but backdoors/malware are a different question. I was talking about authorized access - LDAP, ssh keys, etc.
Detecting unauthorized software from a rogue privileged user is a different problem with very different mitigations. It is a great topic that I'm personally interested in, given that I'm implementing controls for that, but I wasn't discussing that.
No. It's easy to revoke access to a user. An admin is different - an admin can install whatever he wants to give him backdoor access. Or a timebomb.