Maybe it is time to rethink how people does things.
I would make it mandatory to fill in a change log for every setting that is changed on the network (including servers). It is in any case good to know what changes were made by whom, and when.
Forbid any changes to the proxy log settings. No-one is excluded. The head of IT could remove any IT personal from the list, should they be on the top because of patch downloads, etc.
Access to sensitive systems should be restricted to people that can be trusted. Access is only granted for valid work, and only on a temporary basis.