"seemingly, were able to exploit ssh agent forwarding to move on to new machines"
This definitely seems like an argument for working on tools to help users notice when this happens. Something relatively unintrusive would do the job, e.g. an icon like the "new mail" icon which blinks or something when your agent acts, and ideally provides information about when it last acted on behalf of a remote connection, which one, and using which key. This information about when the agent was used, and which key was used is definitely available internally, the rest I am less certain of.