I think this is a good reason why we should have "certified" applications for SQL Server. Some way to limit access to the server to both a user and an application.
I have no idea how to prevent Excel/Word/etc. from getting access to your data and tracking that.
Or how you handle screen prints.
What about DBA tracking? never thought of that, but should every QA/SSMS sessions be audited somehow?