I think giving multiple people root access is the opposite direction the original question intended. I think the idea is that you don't want ANY one person to have the ability to bring down, corrupt, or steal from a single system. Considering the recent madness around congressional data, passwords, credit card databases, and thousands of other examples this sort of security seems more and more reasonable.
I work on some unclassified Department of Defense machines, and even to get root access to those machines our admins have to get Top Secret clearances. Of course, this does nothing to ward off incompetence and is only useful for providing increased trust in your single point of failure, (but that trust is important). I assume you're looking for assurances beyond this sort of social-engineering aspect.
The two-key (nuclear) option mentioned is probably workable for a reasonably administered production system. There are several ways to implement a two-person system that could work.
First, routine tasks, or tasks which can be pre-planned (i.e. non-emergency situations) could be scripted on backup environments without the sensitivity or criticality of the production system. This should be standard practice anyway. Once a working tested script is prepared (and that can be a script in the programming sense a la .ksh/.perl or a script in the user-documentation meaning). The production system can require dual authentication for logon before the script could be executed. In a fully automated setting this is a completely technological solution (although I admit that I don't know of a working implementation that is publicly available), but even if there are some manual steps required, holding both key holders responsible and requiring at least over-the-shoulder confirmation is a useful policy.
For more complex tasks, such as recovering physically corrupted data, which really can't be simulated and scripted, dividing responsibilities and ensuring multiple people are in attendance at all times can significantly reduce risk exposure with minimal impact (it doubles your staffing requirement, but only for the hopefully brief periods when this is required). Again, this is not a technical solution, other than having lock boxes or rooms with multiple keys.
It's important to realize of course that you'd have to apply this solution not just to your sysadmin role, but to your physical infrastructure (no one person can access the power button, the fuse box, etc. by themselves), and to each application running on the system, at least for any role that has access to protected areas. This is nigh impossible in a usable system, so the problem gets pretty complicated, but if you really need the security then it may be worth the effort.