ChatGPT encrypts data in transit (TLS 1.2+) and at rest (AES-256). OpenAI is SOC 2 Type II certified, offers ChatGPT Enterprise with SAML SSO, SCIM, audit logs, and customer-managed encryption keys. ChatGPT Enterprise and the API default to Zero Data Retention on prompts — OpenAI does not train on your data, and conversations aren't retained beyond 30 days (often less).
All of that is real. None of it addresses the actual security question enterprises face:
What did the employee paste into the prompt?
Encryption protects data moving between your browser and OpenAI's servers. It does not protect data moving into the prompt in the first place. That's the gap, and it's where every significant ChatGPT security incident has happened.
Stack-ranked by how often we see them in customer environments — not by theoretical severity.
The single largest ChatGPT security risk. Cyberhaven's 2023 research found that at organizations averaging 100,000 employees, confidential data was entered into ChatGPT ~200 times per week. That data included source code, customer records, financial forecasts, and internal strategy documents.
Once a prompt leaves the browser, you've lost control of it. Even on ChatGPT Enterprise with ZDR, that data is now in a transcript your employees can screenshot, forward, or re-paste into unsanctioned tools.
Your company may have purchased ChatGPT Enterprise. Your employees may not be using it. They'll sign up for personal ChatGPT Plus accounts with their personal email, paste work data, and bypass every control your IT team built. On Free and Plus tiers, OpenAI trains on that data by default.
Enterprise buyers consistently underestimate this. The ratio of sanctioned-to-shadow ChatGPT usage in most organizations is roughly 1:3.
Developers debugging code paste everything: config files, environment variables, private keys, database connection strings. A 2023 Group-IB analysis found 225,000+ stolen ChatGPT account credentials circulating on dark web marketplaces, most harvested by infostealer malware. Those accounts contained conversation histories loaded with proprietary information — including credentials.
As soon as ChatGPT reads external content — a URL, a PDF, a shared document, a Slack message — that content can contain hidden instructions. Johann Rehberger's disclosed vulnerability in ChatGPT's memory feature (2024) demonstrated exfiltration of conversation data via prompt injection. The attack surface expands every time OpenAI ships a new feature (Search, Code Interpreter, Connectors, Agents).
OpenAI reviews plugins and custom GPTs, but data sent to a third-party plugin follows that plugin's privacy policy — not OpenAI's. Custom GPTs have repeatedly leaked system prompts, uploaded knowledge files, and attached documents through prompt injection. Enterprise connectors to SharePoint, Google Drive, and GitHub extend the risk surface into your most sensitive systems.
Unless you have a Business Associate Agreement (BAA) with OpenAI — available on ChatGPT Enterprise — sending PHI to ChatGPT is a HIPAA violation. PCI DSS data has similar constraints. Most ChatGPT Free, Plus, and Team users at healthcare and fintech companies don't realize their prompts are non-compliant until an audit surfaces it.
When ChatGPT fetches a URL on behalf of the user, a malicious page can inject instructions telling ChatGPT to exfiltrate conversation history to an attacker-controlled domain. Multiple variants of this attack have been documented in 2024 and 2025.
Cut from most "ChatGPT security" articles (and rightly so for enterprise buyers): sponge sampling, model inversion, training data reconstruction, data poisoning. These are real research topics but essentially irrelevant to an enterprise CISO deciding whether to approve ChatGPT usage. The risks above are what actually cause incidents.
Within 20 days of Samsung allowing ChatGPT internally, three separate engineers pasted confidential information into the chatbot — including semiconductor source code and internal meeting recordings transcribed for summarization. Samsung banned ChatGPT enterprise-wide shortly after. The Samsung incident remains the single most-cited example of why ChatGPT usage needs detection controls before the prompt, not just at the network layer.
A bug in the Redis open-source client caused ChatGPT to show other users' chat titles to random users, and exposed payment-related data (first and last names, email addresses, payment addresses, last four digits of credit card numbers, and card expiration dates) of roughly 1.2% of ChatGPT Plus subscribers active during a nine-hour window. OpenAI disclosed and patched the issue; the incident prompted Italy's data protection authority to temporarily ban ChatGPT nationwide.
Group-IB's threat intelligence team identified stolen ChatGPT credentials in logs from Raccoon, Vidar, and RedLine infostealer malware, sold on dark web marketplaces throughout 2023. These accounts gave attackers full access to chat histories — essentially, employee confessions of what their companies were working on.
Security researcher Johann Rehberger disclosed that ChatGPT's memory feature could be abused through prompt injection — an attacker could plant instructions in documents or web pages ChatGPT read, which would then write persistent malicious entries into a user's long-term memory. Those entries could include instructions to silently exfiltrate future conversations.
Italy's Garante has repeatedly opened investigations into ChatGPT for GDPR violations — including insufficient legal basis for training data, inadequate age verification, and improper handling of European user data. Fines have reached €15 million (December 2024). Other EU DPAs (France, Germany, Spain) have opened parallel investigations.
The pattern: nearly every disclosed ChatGPT security incident traces back to data that never should have entered a prompt in the first place — or to an integration that exposed conversations to third parties. Encryption and SOC 2 certifications don't help with either.
Enterprise buyers often assume "we're on ChatGPT, we're fine." The tier matters enormously.
The overwhelming majority of ChatGPT-related data leaks in enterprise happen on Free and Plus tiers — accounts your IT team didn't provision and can't govern. Buying ChatGPT Enterprise does not solve this on its own. You also need a way to detect when employees are using personal accounts on corporate devices.
ChatGPT Enterprise connectors to Google Drive, SharePoint, GitHub, and Slack are powerful — and they multiply the attack surface. A single misconfigured connector scope can expose every file a user has read access to, not just what they meant to share with ChatGPT. Meanwhile, building ChatGPT into your own products via the API exposes customer data to OpenAI's infrastructure (even under ZDR, metadata flows through).
Common integration risks:
Mitigation checklist for integrated ChatGPT:
What ChatGPT Enterprise covers out of the box:
What ChatGPT Enterprise does NOT cover:
This gap is what Strac is built to close.
PHI in a ChatGPT prompt without a signed BAA is a HIPAA violation — full stop. Even with a BAA (Enterprise only), HIPAA's minimum-necessary principle requires that only the minimum PHI needed be disclosed. That means de-identification or redaction before the prompt is sent, not after.
PCI DSS Requirement 4 prohibits unencrypted transmission of cardholder data over open, public networks — but also requires strict controls on where cardholder data can live. Sending a PAN into ChatGPT, even with ZDR, creates audit exposure. GLBA and SOX similarly require documented controls over customer and financial data handling.
Article 32 requires appropriate technical and organizational measures. Pasting EU personal data into any LLM without DPIA, explicit lawful basis, and data minimization controls almost always fails this bar. Italy's ongoing ChatGPT enforcement is the warning shot.
Student records in ChatGPT without consent violate FERPA. Most schools have no DLP controls around ChatGPT usage by faculty — an audit risk that's grown rapidly since 2023.
Strac closes the content-inspection gap with four layers, each deployable independently or together.
A Chrome/Edge/Firefox extension that inspects every ChatGPT interaction (chat.openai.com, chatgpt.com, enterprise tenants, custom GPTs) in real time — before data leaves the browser. Three enforcement modes:
Detection covers 100+ sensitive types out of the box: SSNs, driver's licenses, passport numbers, credit cards, bank accounts, medical record numbers, API keys, AWS credentials, OAuth tokens, private keys, and custom regex patterns for your internal data (employee IDs, project codenames, case numbers).
Strac's endpoint agent discovers which AI tools your employees are actually using — including personal ChatGPT Plus, personal Claude, Microsoft Copilot, Perplexity, and locally-run models. Enterprise email enforcement nudges users off personal accounts when a corporate alternative exists.
Redact sensitive data in the SaaS tools that feed ChatGPT connectors — Slack, Zendesk, Jira, Salesforce, Google Drive, SharePoint, Box. If ChatGPT never sees the raw PHI in a Slack message, it can't accidentally include it in a summary.
As AI agents start calling tools on employees' behalf via MCP (Model Context Protocol), Strac inspects and redacts data at the MCP server boundary — blocking sensitive data from being sent to agents, or redacting it inline before the agent sees it.
Deployment is agentless on the SaaS side and takes roughly 10 minutes. The browser extension rolls out via Chrome Enterprise, Edge for Business, or Jamf in a standard MDM flow.
Use this as a monthly audit for your organization:
Three shifts worth watching:
Agentic AI moves the attack surface. As ChatGPT, Claude, and Copilot gain autonomous agent capabilities that call tools, connect to data sources, and take actions, the risk stops being "what did the employee paste" and becomes "what did the agent decide to send, on its own." Inline inspection at the tool/MCP boundary becomes the new DLP surface.
Shadow AI becomes the real governance problem. Enterprise buyers are slowly realizing that buying ChatGPT Enterprise, Copilot, and Claude Enterprise doesn't eliminate AI risk — it consolidates maybe 40% of it. The rest lives in personal accounts, browser-based agents, and locally-run models. Discovery and enforcement on the endpoint is where the 2026–2027 tooling battle will be fought.
Regulation catches up. The EU AI Act, updated NIST AI RMF, ISO 42001, and state-level laws (California, Colorado, Texas) are converging on a common requirement: documented controls over what sensitive data is sent to what AI systems, with auditable evidence. "We trust OpenAI's ZDR" will not be a sufficient answer.
Strac is building toward all three: agentic DLP via MCP inspection, shadow AI discovery on endpoints, and auditable controls that map to AI governance frameworks.
ChatGPT security in enterprise isn't about whether OpenAI is secure — they are, by any reasonable measure. It's about the gap between what OpenAI protects (the pipes) and what your enterprise needs to protect (the content and the context).
Every meaningful ChatGPT security incident since 2023 has happened in that gap. Employees pasted data they shouldn't have. Personal accounts got breached. Integrations were over-scoped. Agents exfiltrated conversations. None of those are problems OpenAI can solve from their side of the wire.
Strac sits in the gap. Detect sensitive data before it leaves the browser. Redact it before it reaches an integration. Discover shadow accounts before an audit does. Block what shouldn't be there — warn when context matters — audit silently when it's time to learn, not enforce.
Adopt AI aggressively. Govern what your people share with it ruthlessly. That's the combination that wins.
Book a 15-minute demo to see Strac's ChatGPT DLP in action. Or explore the Strac ChatGPT DLP integration, browse all 50+ Strac integrations, or dig deeper on related coverage: Claude DLP, Microsoft Copilot DLP, Slack DLP, Browser DLP, and Endpoint DLP.
Related reading: Does ChatGPT Save Your Data? · MCP DLP · Data Encryption · How Do Companies Protect Customer Data · HIPAA Compliance · SOC 2 Compliance.
Conditionally. ChatGPT Enterprise and the API (with data controls enabled) offer genuine enterprise-grade security — Zero Data Retention, SOC 2 Type II, BAAs, SSO, audit logs. ChatGPT Free, Plus, and Team do not; they train on your data by default and lack enterprise controls. But even ChatGPT Enterprise doesn't stop employees from pasting sensitive data into prompts — that's your responsibility. The answer to "is ChatGPT safe for work" depends entirely on which tier you're on and what content-level controls you've layered on top.
Employees pasting sensitive data into prompts on personal or unmanaged accounts. Cyberhaven's research found confidential data entering ChatGPT ~200 times per week at an average 100,000-person company. Every significant publicly-disclosed ChatGPT data leak — Samsung, the 225K infostealer credential dump, multiple regulatory investigations — traces back to this root cause. Model-theoretic risks (data reconstruction, poisoning) get more press but cause almost no real enterprise incidents.
There has not been a successful breach of OpenAI's core infrastructure that exposed enterprise data at scale. The closest incidents: a March 2023 Redis bug that briefly exposed chat titles and some billing data to other users during a nine-hour window, and ongoing account-takeover attacks (225,000+ credentials on the dark web via infostealer malware, not a ChatGPT breach per se). Prompt injection vulnerabilities in features like ChatGPT Memory and Search have been responsibly disclosed and patched. The bigger practical risk is account-level compromise, not infrastructure-level breach.
Yes, within documented limits. ChatGPT Enterprise enables Zero Data Retention by default on prompts and responses, does not train on your data, offers SAML SSO, SCIM, audit logs, customer-managed encryption keys (via Enterprise Key Management), and signs BAAs for healthcare customers. OpenAI is SOC 2 Type II certified. What Enterprise does NOT do: inspect the content of prompts to stop sensitive data from being sent in the first place, discover employees using personal ChatGPT accounts on work devices, or enforce your policies on downstream tools. Those require a layered control like Strac.
Three layers, in order of effort: (1) Deploy a browser-based detection and enforcement tool like Strac that inspects every ChatGPT prompt before submit, with block/warn/audit modes. (2) Discover and block personal ChatGPT, Claude, and Gemini accounts on corporate devices — buying ChatGPT Enterprise doesn't automatically replace shadow accounts, you have to force the swap. (3) Put DLP in the SaaS tools upstream of ChatGPT (Slack, Zendesk, Jira, Google Drive, SharePoint) so sensitive data is redacted before it ever flows into an AI integration. A policy document alone does not prevent leaks — controls do.
.avif){kind=icon}
.gif)
.webp)
