@Skhonig On the basis it is a cloud based service via Salesforce, it sounds very much that you need a CASB or a SASE type solution, which can provide you full visibility on both privileged and user activities, and enforce policies preventing undesired transportation of information or communications.
There is a number of solutions out there in the market, all pushing their wares - first step would be to review Gartner and Forrester reports and review their findings.
If you are working within a Government environment, this is a major issue and headache for many - which contributes to many ShadowIT issues, Data Leakage issues due to the lack of visibility. The only answer really is a CASB or SASE, to provide you with a full knowledge and enforcement of your organisations required policies.
CASB's and SASE's services provide you with the capability to put in DLP capabilities and to prevent unwanted communications paths i.e. users attempting to pass information to an AWS bucket for in stance or a Microsoft Blob etc.
If you want further details, please send me a private message - happy to pass on details.