First, make sure your procedural and policy ducks are in a row and carefully align what you do and say within that policy. Second, think through your priorities. Suspecting one end user has acquired super-user access may have serious overall implications — such as potential violation of defense contracting requirements or HIPAA obligations. Perhaps the priority should be a rebuild of your access control structure; since one “known” violation suggests there could be others. Third, obtain line management support at an appropriate level before, for example, installing key board capture or other detection measures.