There is so much that should be done, but just isn't. There are a lot of people in IT that know enough to be dangerous, but don't have knowledge to understand when they are being dangerous. With inappropriate access, this can be a very bad thing. Some things to keep in mind are those things which you mentioned already. Shared accounts are a major problem with regard to accountability and should be avoided. Blanket access should not be granted for a simple task, but rather individualized access should be tailored to the user. Another item I have seen is with temporary acccess. Many times there are people that need access temporarily for a specific task or duty, with the idea being that the access will get removed after a set amount of time. Many times, though, that access is never removed. And the process of changing passwords after key employees leave is something that I have only seen done once in over 10 years. It is often just too time consuming and difficult to do.
With the Solarwinds systems I have administered, I have attempted to adhere to some of these standards. I have set up groups with varying levels of access, and have set up custom views for those groups. An example would be NCM--I set up a view where our LAN/WAN admins could view and administer their nodes in NCM, I had another view where appropriate IT management and executives could only read the NCM data, and everyone else couldn't even see the Configuration tab. I wish I could do this on a broader basis, but I do, or encourage, as much as I can. Given my newer security based role, I hope to increase my reach with this a bit more.