Who is responsible for determining who can access sensitive information? Is it the role of the database or system administrator, or the data owners from lines of business (LOBs)? Maybe the permission oversight varies when data content includes sensitive information. Should your privileged users and admins have actual access to the content? If so, how much control to you have over preventing bad behavior?