This talk shows how to “red team” your assistants safely - plant realistic tests, measure what they accessed and shared, and write findings leaders can act on. Then we flip to defense with practical guardrails such as 'allow lists' for trusted sources, “show your sources” rules, output limits and filters, per-identity tool permissions, action budgets and simple approval steps. I will also cover the evidence leaders expect i.e. traces linking user --> prompt --> data --> actions, plus review and sign-off. Leave with a ready-to-use test kit, a controls checklist, and a blueprint to keep assistants helpful, contained, and auditable.