A website AI assistant tied to lead capture or support is part of your operating workflow, not a front-end experiment. Current OpenAI and OWASP guidance makes prompt-injection controls, least-privilege tooling, structured handoffs, and user-level safety tracking part of a credible launch plan.