It is quite common that sql servers run just with a few accounts. Helpful audit logs on critical systems have a high cost. So technically it is not hard but practically it is.
True but they can have systems which execute on the behalf of an authenticated user and pass that to the SQL server but the system in the middle would have logs of that query and by whom. Now, to be fair, there are usually holes that allow direct access as well.