It's difficult to imagine this recovery operation could happen if Apple never get access to the phone. Perhaps they could have representatives from both Apple & FBI present.
Proving all copies are gone isn't possible; you can't prove non-existence. Ensuring extreme unlikelihood seems relatively straightforward, though. Make fewer copies, trusted personnel only, isolate the development to a particular location with no network access, etc. Naturally there'll be a risk that a copy survives, just as there's a risk that a contingent of rogue Apple employees are already working on it for the FBI.
Proving all copies are gone isn't possible; you can't prove non-existence. Ensuring extreme unlikelihood seems relatively straightforward, though. Make fewer copies, trusted personnel only, isolate the development to a particular location with no network access, etc. Naturally there'll be a risk that a copy survives, just as there's a risk that a contingent of rogue Apple employees are already working on it for the FBI.