The acting head of the US government’s primary cybersecurity agency reportedly inputted sensitive government files into a public instance of ChatGPT, leading to internal security flags and a federal review, according to a recent investigation by Politico.
Madhu Gottumukkala, serving as the interim director of the Cybersecurity and Infrastructure Security Agency (CISA), allegedly uploaded contracting documents marked “For Official Use Only” into the generative AI platform last summer. The report details that Gottumukkala sought and received a special exemption to access ChatGPT, which is typically restricted for most Department of Homeland Security (DHS) personnel.
Federal cybersecurity monitoring systems reportedly flagged these uploads in early August, prompting a DHS-led damage assessment to ascertain if the sensitive information had been compromised. Public versions of ChatGPT transmit user inputs to OpenAI, creating inherent risks when proprietary or classified data is introduced outside secure government networks.
CISA spokesperson Marci McCarthy confirmed to Politico that Gottumukkala was authorized to use the tool, stating he “was granted permission to use ChatGPT with DHS controls in place,” characterizing the usage as “short-term and limited.” Gottumukkala has held the acting director role since May, pending the Senate confirmation of Sean Plankey for the permanent position.
This incident adds to previous reports concerning Gottumukkala’s tenure; Politico also noted that he previously failed a counterintelligence polygraph examination required for access to highly sensitive intelligence materials. Gottumukkala reportedly rejected that characterization when questioned during recent congressional testimony.
The situation arises as the current administration continues to promote the adoption of artificial intelligence tools across various federal departments, including the Pentagon’s stated “AI-first” strategy for military expansion.
This case highlights the critical tension between federal efforts to integrate advanced AI capabilities and the stringent security protocols necessary to protect national data assets from inadvertent exposure via commercial platforms.
