A unscrupulous engineer may attempt to bypass 2FA by creating an account and assigning it to the override group or assigning themselves to the override group. To prevent this issue you can configure account auditing using the domain security policy and then use free Microsoft tools like EventCombMT to quickly query across all your servers in your domain looking for critical events like 660 (user added to a security group) and 661 (a user removed from a security group).
Step-by-step screencast of this: http://silverstr.ufies.org/AccountAuditing/AccountAuditing.htm
Note: This screencast is not be public and Dana will create an official Scorpion Software screencast. This article should be updated with the new screencast and then the article can be published.