There's a discussion of the auditing vulnerability in section 5.4.6 of RFC 6113. In that case the armor ticket lifetime limits the window of the vulnerability. The conclusion there, which I agree with is that it is often preferable to have a working system than no false audit events.