The Bitcoin Wiki (in the linked article for multisig) cites a post on BitcoinTalk describing nearly the same problem that you did:
Suppose I am working with a company that wants to accept Bitcoin for international trades.
The company, for security reasons, would not want a single one of its employees to have access to the company BTC wallet's password. Any transaction would have to meet the approval of more than one employee.
Is this possible already? If not, how could it be implemented with public-key cryptography?
One common solution to this problem is multisignature (commonly abbreviated as multisig).
Most Bitcoin transactions (the ones created by users like you and me) require only one signature — that of the owner of the private key that corresponds to the Bitcoin address. Multisig comes into play by requiring a certain number of signatures for a transaction to be verified. The Bitcoin Wiki gives a few examples of this. The following examples use M-of-N transactions, meaning that M users (out of N users who are able to sign the transaction) must sign the transaction for it to be verified:
1-of-2: Husband and wife petty cash account — the signature of either spouse is sufficient to spend the funds.
2-of-2: Husband and wife savings account — both signatures are required to spend the funds, preventing one spouse from spending the money without the approval of the other
2-of-3: Parents’ savings account for child — the kid can spend the money with the approval of either parent, and money cannot be taken away from the child unless both parents agree
Specifically in regards to your question, 10 executives or employees of a Bitcoin exchange may have the private keys associated with a multisignature address; a combination of any 5 of those private keys may be required to send bitcoins from this address (this is a 5-of-10 transaction in the M-of-N transaction format).
This doesn't guarantee the bitcoins won't be stolen. 5 "evil" employees could collude to steal the bitcoins without the other 5 "good" employees knowing. However, this is a much more trustworthy system than a single employee being able to steal all the bitcoins (as could happen with a "standard" bitcoin address if an "evil" employee had access to the private key).
However, you might notice some flaws with this in regards to a Bitcoin exchange. Wouldn't it get tiresome for the 5 employees to constantly sign a transaction to provide withdrawals to users? The answer is yes, which is why companies implement a "hot wallet" — a wallet that holds a fraction of the bitcoins the company actually owns (the rest of the bitcoins are in a "cold wallet", which would probably be the multisig address). I'm not sure of the exact process exchanges use to send bitcoin from the cold wallet to the hot wallet (and I'm sure it differs from company to company), but I would guess that every once in a while, if the hot wallet is running low on bitcoin, M employees would verify a transaction from the multisig wallet to the hot wallet.
The hot wallet is totally susceptible to being stolen by a single "evil" employee (since it's most likely not a multisig wallet for efficiency, and thus has only one private key), or to being stolen by a thief, but companies would much rather only lose a fraction of their bitcoins (a hot wallet) than all of their bitcoins (a cold wallet).
Posted this at security.stackexchange.com because I thought it was much more related to computer security than the specifics of bitcoin. The question is about protecting any digital asset really. If it could be migrated back to security I'd be happy. – aioobe – 2016-12-02T08:11:41.900
It's not on topic on Security Stack Exchange in its current form. – Rory Alsop – 2016-12-02T10:10:58.893
Care to elaborate why? – aioobe – 2016-12-02T10:13:42.770
Your question asks what controls prevent an admin of bitcoin transferring funds to himself. That is very specific to bitcoin. – Rory Alsop – 2016-12-02T10:15:54.547
Not really. It could be any digital asset. I see it plainly as a question about information security. May I try to reformulate the question on security.SE, and leave out all references to bitcoin? – aioobe – 2016-12-02T10:17:23.230
Happy to chat in the DMZ - Security Stack Exchange chat, rather than here. – Rory Alsop – 2016-12-02T10:18:40.440