The acting head of the US Cybersecurity and Infrastructure Security Agency (CISA) reportedly uploaded sensitive government contracting documents to the public version of ChatGPT in mid-July 2025, setting off multiple automated security alerts, according to a report by Politico.
The incident involved Madhu Gottumukkala, CISA’s acting director, who had sought special approval from the agency’s Office of the Chief Information Officer to use the AI chatbot after taking charge in May 2025. Despite safeguards, the uploads activated internal cybersecurity sensors designed to detect potential leaks or unauthorized disclosures of government information.
The alerts were triggered several times in August, prompting CISA to launch an internal review to evaluate any possible risks to national security. While none of the documents uploaded were classified, they reportedly included contracting materials marked “For Official Use Only”, a label applied to sensitive information not meant for public release.
Because data shared on the public version of ChatGPT is accessible to OpenAI and may be used to improve responses for other users, officials flagged the incident as a potential exposure risk—particularly given the platform’s massive global user base.
At the time, ChatGPT access was blocked for most employees within the Department of Homeland Security (DHS). The report noted that Gottumukkala’s use of the AI tool exceeded the scope of the temporary and limited exception granted to him.
Confirming the incident, CISA Director of Public Affairs Marci McCarthy said Gottumukkala had been authorized to use ChatGPT under DHS controls for short-term purposes only, adding that access to the tool remains restricted by default.
In a separate statement, CISA clarified that Gottumukkala last used ChatGPT in mid-July 2025 under an approved exception and that standard restrictions are still in place for agency staff.
Gottumukkala, an Indian-origin official, is currently the senior-most political appointee at CISA and was named acting director by DHS Secretary Kristi Noem in May 2025.
Interestingly, the disclosure surfaced just a day after CISA urged critical infrastructure organizations to strengthen defenses against insider threats. On January 28, the agency released a new resource aimed at helping organizations proactively prevent, detect, and mitigate insider risks.
The guidance highlights two major categories of insider threats—deliberate malicious actions and unintentional human errors—both of which can expose systems to serious vulnerabilities if left unaddressed.
