Verify that use of the root account was authorized, as there are a small number of tasks which require it. If use was not authorized, revoke access to the root account immediately and change the password. If MFA was enabled, rotate the MFA device as it may be compromised. Perform an extensive review of activities performed by the root account.