The methods that I will share here allow an attacker to either conceal his identity or even evade auditing completely.
Most of these commands require sysadmin privileges. However, if your goal is to audit every access to sensitive data, this typically means “all users” – not with an exception for administrators. Because of this, it’s important to understand these methods so you can make an informed decision about whether to include them in your auditing scope.
Some of these are wildly impractical, but they do work and Andreas has mitigations for each.