You’ll never be able to prevent privileged insiders, or their accounts, from being able to cause damage. But I have worked with organisations where internal tests were not able to compromise the most critical assets, and where the outcome of the tests was those assets become even more well protected. Which is really the best outcome you could be hoping for with these kinds of engagements, imo.