More to the point, in a case like this you need multiple nested perimeters. The media *is* the value of the company, so that should be stored on read only media, in multiple copies at different (secure) locations. Possibly encrypted, but then you need a somewhat similar protection for the keys.
Access to the media doesn't need to be available to anyone whose job doesn't involve editing it. So that another perimeter separate from that of the main company. If some management honcho says that he needs access, give him read only access. If he demands read/write access, have him work on a copy.
And, yes, this isn't perfect. Perfection is not available, so you nest near perfection. Now within each perimeter you also need those intrusion detection mechanisms you were talking about, but that doesn't suffice. Too much can happen too quickly.