This is exactly it. Even the best tools today cannot, and do not monitor all attack vectors.

If you can't trust someone to be an employee in a position where they have access to your systems, they should not be in that position.