Maybe include some sort of notification options or entries within the audit logs that show details on behavior like this occurring such as when it occurred, and by what user signed into what asset that the agent is deployed to.