Back in the 1980s, when I worked as a tool of the military-industrial complex, I ran a secure computer room. Every document we had not only needed to be accounted for, but there needed to be officially registered plans indicating how we would keep track of all documents we handled. The "Orange Book" and "Red Book" security rule books had a lot of theory about how you make sure you always account for every document and person on your computers and network, so you can always audit that access.
If the NSA couldn't do that for their internal operations, they've hopelessly failed. (And if you're asking whether it's malice or incompetence, it's both.)