This is fundamentally true. However it is possible to limit the bandwidth of data the employee can exfiltrate.

Assuming a privileged employee suddenly becomes a bad actor. Private-keys/certs are compromised, any kind of shared password/login is compromised.

In my case I have a legit access to my company’s web-certs as well as service account ssh-key’s, etc. If I were determined to undermine my company, I could absolutely get access to our HSM-stored software signing keys too. Or more accurately I’d be able to use that key to compile and sign an arbitrary binary at least once.

But I couldn’t for example download our entire customer database, I could get a specific record, I could maybe social engineer access to all the records of a specific customer, but there is no way I’d be able to extract all of our customers via an analog loophole or any standard way. The data set is too big.

I also wouldn’t be able to download our companies software source code in it’s entirety. Obviously I could intelligently pick a few key modules etc, but the whole thing would be impossible.

And this is what you are trying to limit. If you trust your employees (some you have to), you can’t stop them from copying the keys to the kingdom, but you can limit the damage that they can do, and also ensure they can’t copy ALL the crown jewels.

You are disappointed because it doesn’t have to be this way.