Suppose a server-side signing scenario, where user keys are generated in a HSM and exported to a database, encrypted with a symmetric key derived from a user password and HSM's master key.
To sign, users must provide the referred password and an additional factor, like an OTP, for example. The OTP can't be used to protect the key because it's a dynamic value, so it's just used as an authorization barrier. The transmission of the two factors is done through SSL.
Now imagine a malicious inside attacker changes the application code, so the passwords the users submit get logged in a file.
Although the signing operation via the application requires 2 factors, somewhat preventing attacks from outside attackers, what can be done to prevent that an inside attacker accesses the HSM directly and decrypts a signing key with the password, and using it to sign documents on user's behalf?
Typically, physical access to HSMs is protected by dual control, but users may have logical access to HSM if they have the password to login remotely.
What kind of security measures can I implement to prevent this kind of inside attack?