How might one verify that a file has been copied?

TL;DR: In many cases, you can see whether the file was accessed; however, it is impossible to tell whether a copy was made or not.

It seems that atime would be updated when using cp (unless noatime is in effect); however, doing any other read operation (like grep somestring $filename) would also touch the file.

In most installs (without a ton of auditing), it is not possible to find out why exactly the file was read, and whether the process reading the file also wrote a copy of the data elsewhere (to USB? to socket? to RAM?).

Moreover, this only concerns online, unprivileged attacks. If I have physical access, I could reboot into a live-CD distro, mount the partition read only, copy anything off it (or even make a full-disk image) and there would be no marks on the partition (except the incremented mount counter).