The acting head of U.S. cybersecurity under President Donald Trump uploaded sensitive government documents to ChatGPT, triggering fresh concerns over AI use inside federal agencies and the handling of classified or restricted information.
A routine experiment that escalated into a security issue
A senior U.S. official tasked with safeguarding federal cyber infrastructure uploaded sensitive government materials into ChatGPT, according to reporting first published by TechCrunch. The incident involves the acting national cybersecurity chief during President Donald Trump’s administration, raising questions about how emerging AI tools are being used — and misused — at the highest levels of government.
The documents, while not publicly released in full, reportedly contained non-public government information. Their submission to a third-party generative AI platform has alarmed cybersecurity professionals, who warn that even limited disclosures can introduce long-term risks once data enters external systems.
How the documents reached ChatGPT
According to the report, the official used ChatGPT as part of routine work-related experimentation, seeking assistance with summarisation and analysis. In doing so, sensitive internal documents were uploaded directly into the system. While there is no indication that the information was classified at the highest levels, experts note that many government materials remain protected due to operational, legal, or national security implications.
The episode highlights a growing disconnect between the rapid adoption of generative AI tools and the slower pace of policy enforcement across public-sector institutions.
Why this matters for federal cybersecurity policy
The irony of the situation has not gone unnoticed. The acting cybersecurity chief oversees policy and guidance intended to protect federal agencies from data leaks, foreign intelligence collection, and digital exposure. Uploading sensitive documents to an external AI system runs counter to long-standing federal data-handling protocols.
Cybersecurity specialists point out that even when AI providers claim not to train models on user data, the act of transferring sensitive material outside secure government environments can violate internal rules and risk unintended retention or access.
A broader problem across government and enterprise
The incident underscores a wider challenge facing governments and large organisations globally. Generative AI tools like ChatGPT are increasingly embedded into daily workflows, often ahead of clear rules governing what can and cannot be shared.
In recent months, multiple agencies and enterprises have issued internal warnings restricting employee use of consumer AI tools for official work. Enforcement, however, remains uneven, particularly among senior officials who may view experimentation as low-risk.
What happens next
While there has been no public confirmation of disciplinary action, the incident is expected to prompt renewed scrutiny of AI governance inside U.S. federal agencies. Lawmakers and regulators are already debating whether stricter controls — or government-approved AI systems — are needed to prevent sensitive information from leaking into commercial platforms.
For now, the episode serves as a cautionary signal. As generative AI becomes a standard productivity tool, even those responsible for cybersecurity are not immune to missteps. The challenge for governments will be balancing innovation with discipline, ensuring that enthusiasm for AI does not outpace the safeguards designed to protect public data.
