How are others evidencing the system changes deployed whilst monitoring for unauthorised updates?

Summary:

There seems to be an increasing need to monitor/audit the database looking for authorised updates and confirming the change deployed.
How are people reconciling the changes you deploy to the db tables which are updated each month/periodically to show the only system updates are change requests approved and expected each change cycle?

The audit policies functionality isn't great and coverage is far from complete, we do have a 2rd party tool which rapidly captures the cloud configurations but even that isn't a complete snapshot of all areas.

Content (please ensure you mask any confidential information):

Version (include the version you are using, if applicable):