ChatGPT Risk at Centre of Controversy After Acting US CISA Head Uploads Government Documents
When Convenience Overtakes Caution

The growing use of Artificial Intelligence (AI) tools like ChatGPT has introduced a new set of challenges for organisations—particularly when convenience overtakes caution. That reality came into sharp focus after reports revealed that the acting head of the US Cybersecurity and Infrastructure Security Agency (CISA) uploadd sensitive government documents to the public version of ChatGPT.
Madhu Gottumukkala, who has served as CISA’s acting director since May 2025, reportedly uploaded government contracting materials to the AI platform last year. While the files were not classified, they were marked “For Official Use Only,” a designation that explicitly limits public dissemination. The incident triggered internal cybersecurity alerts and prompted a review by the US Department of Homeland Security (DHS), according to multiple reports.
At its core, the episode highlights a growing but often underestimated risk: the improper use of public AI tools in environments where data security is paramount.
A Calculated Exception, Unintended Consequences
Gottumukkala’s access to ChatGPT was not accidental. He was granted a temporary exception by CISA’s Office of the Chief Information Officer as part of an initiative to explore the potential of AI tools. At the time, most DHS employees were blocked from using the public version of ChatGPT due to concerns over data handling and information leakage.
Despite the limited scope of the access, automated cybersecurity sensors at CISA flagged multiple uploads in August 2025. An internal review followed to determine whether the disclosures posed any risk to government security, although the results of that assessment have not been made public.
The situation underscores a key issue facing organisations today: even well-intentioned experimentation with AI can expose sensitive information if guardrails are not firmly in place.
Why Public AI Tools Like ChatGPT Pose Unique Risks
The concern surrounding the use of ChatGPT in this context stems from how public AI platforms operate. Inputs submitted to ChatGPT are shared with OpenAI and may be used to improve responses for other users. With hundreds of millions of users worldwide, this model raises red flags when sensitive or internal data is involved.
This stands in contrast to internal AI systems developed specifically for government use. Within DHS, for example, staff have access to proprietary tools such as DHSChat, which are configured to prevent data from leaving federal systems. These internal platforms are designed with strict controls that public AI tools simply do not offer.
For companies, the distinction is critical. Using consumer-grade AI tools for internal documents, contracts, or operational data can inadvertently result in information leaving organisational boundaries.
A Broader Lesson for Organisations
CISA has since clarified that Gottumukkala’s access to ChatGPT was “temporary and limited,” and that access to the public platform remains blocked by default unless an exception is granted. Still, the incident has intensified scrutiny of leadership decisions and reignited debate over how AI should be deployed in sensitive environments.
More broadly, it serves as a cautionary tale for enterprises across sectors. As AI tools become increasingly embedded in daily workflows, organisations must recognise that not all AI is created equal—and that convenience can come at the cost of control.
The rapid adoption of AI has outpaced many companies’ data governance frameworks. Without clear policies, employee training, and purpose-built tools, the risk of accidental data exposure will only grow.
As organisations continue to explore the benefits of AI, the responsibility lies with leadership to ensure that innovation does not undermine security. The promise of AI is undeniable—but without proper safeguards, it can quickly become a liability rather than an advantage.



