The answer to this is don't consider people trustworthy. Instead you control and audit access to systems and data: no-one has access to sensitive data outside some kind of authorisation, authorisations get signed-off by people who don't have conflicts of interest, access is logged in a tamper-proof way and so on. The access logs are cross-referenced against access requests and so on.
This doesn't stop all attacks: nothing can stop all attacks. But it does make them significantly harder. Some people, financial institutions, for instance, are already doing some or all of this and are working hard on doing more of it (I know this because I have worked on systems like this for these places). But most people seem to just treat it as too hard.