I think this is a good reason why we should have "certified" applications for SQL Server. Some way to limit access to the server to both a user and an application.

I have no idea how to prevent Excel/Word/etc. from getting access to your data and tracking that.

Or how you handle screen prints.

What about DBA tracking? never thought of that, but should every QA/SSMS sessions be audited somehow?