The acting head of the US Cybersecurity and Infrastructure Security Agency (CISA), Madhu Gottumukkala, is under internal review after uploading several sensitive government contracting documents to the public version of ChatGPT in mid‑2025, according to multiple reports citing Department of Homeland Security (DHS) officials. The files were reportedly marked “For Official Use Only,” a designation used for government information that is not classified but is not intended for public release.
Automated cybersecurity sensors on CISA systems flagged the uploads in early August 2025 and generated multiple alerts in the first week of that month, prompting DHS to open an internal review into whether any government data was exposed or security harmed. Officials have said that the review’s final conclusions, including whether any mitigation steps were required, have not been made public.
Gottumukkala, who has led CISA since May 2025, had previously requested and received a temporary exception to use ChatGPT for work purposes at a time when most DHS employees were restricted to internal, firewalled AI tools such as the agency’s own DHSChat system. Those internal tools are configured to keep any uploaded data inside federal networks, unlike public AI platforms that may process user inputs on external servers.
The disclosures have renewed debate in Washington about how senior officials handle sensitive digital information and whether existing AI policies are sufficient for agencies charged with defending federal networks and critical infrastructure. Lawmakers and cybersecurity experts have pointed to the incident as evidence that agencies need clearer rules, better training, and stricter technical safeguards before relying on commercial AI systems for government work.
