Maybe you can:

A- Limit the capabilities of users. B- Help users limit the capabilities that they to their sub-users, whether they be per-program capabilities or per dependency capabilities.

I think B is the path forward, if you give a user access to emails and files and ChatGPT, then he can give ChatGPT access to emails and files and do damage that way.

With B you can give the user access to ChatGPT and email and a file system, but help him configure fine grained permissions for their experiments.