It’s inevitable. You’ve given a number of individuals in your organization rights to run around in AD making changes as they see fit, with little oversight. It’s a situation that’s ripe for abuse. A user with admin rights can grant another permissions with little more than a group membership change, giving an unauthorized user access to commit data theft, or fraud. Too many users, with too many privileges… an no one watching to prevent abuse.
If you do nothing, abuse will eventually occur… and you’ll likely never know.
So, what are you supposed to do about the abuse? No organization wants it to occur, but can it be stopped?