Highlights:
- Gottumukkala uploaded sensitive but unclassified files into public ChatGPT
- Automated cybersecurity systems flagged multiple warnings
- DHS launched an internal review to assess potential damage
- Files were marked “for official use only,” not for public release
- Incident adds to a series of controversies during his tenure
Madhu Gottumukkala, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), uploaded sensitive government documents into a public version of ChatGPT last summer, triggering internal cybersecurity alarms and prompting a Department of Homeland Security (DHS) review, according to four DHS officials familiar with the matter.
The files uploaded by Gottumukkala were not classified, but they included CISA contracting documents labeled “for official use only,” a designation reserved for information considered sensitive and restricted from public disclosure. The uploads were flagged by CISA’s cybersecurity monitoring systems in early August, with one official saying multiple alerts were triggered within the first week alone.
The incident was particularly striking because Gottumukkala had sought and received special permission from CISA’s Office of the Chief Information Officer to use ChatGPT shortly after arriving at the agency in May. At the time, access to the AI chatbot was blocked for most other DHS employees due to concerns about data security and information leakage.
Senior DHS officials subsequently initiated an internal review to determine whether the uploads caused harm to government systems or exposed sensitive information. Two officials said the review rose to the DHS level, though it remains unclear what conclusions were reached or whether any disciplinary action was taken.
In an emailed statement, CISA Director of Public Affairs Marci McCarthy said Gottumukkala was “granted permission to use ChatGPT with DHS controls in place” and described the usage as “short-term and limited.” She added that the agency supports the responsible use of artificial intelligence in line with President Trump’s executive order aimed at removing barriers to U.S. leadership in AI.
McCarthy also disputed part of the reported timeline, saying Gottumukkala last used ChatGPT in mid-July 2025 under a temporary exception granted to select employees. She emphasized that CISA continues to block ChatGPT by default unless specific authorization is provided.
Unlike government-approved tools such as DHSChat, a secure, internally hosted AI assistant, the public version of ChatGPT shares uploaded data with OpenAI and may use it to improve responses for other users. OpenAI has said ChatGPT has more than 700 million active users worldwide, amplifying concerns about unintended data exposure.
According to DHS policy, any exposure of “for official use only” material must be investigated to determine cause, impact, and whether administrative or disciplinary action is appropriate. Possible responses range from retraining to the suspension or revocation of security clearances.
After the activity was detected, Gottumukkala met with senior DHS leadership to review the material he had uploaded. Officials involved in the review reportedly included then-acting DHS General Counsel Joseph Mazzara, DHS Chief Information Officer Antoine McCord, CISA CIO Robert Costello, and CISA Chief Counsel Spencer Fisher.
Gottumukkala has led CISA in an acting capacity since May, after being appointed deputy director by DHS Secretary Kristi Noem. His tenure has been marked by turbulence. Earlier this year, several career staff members were placed on leave following an unsanctioned counterintelligence polygraph that Gottumukkala pushed to take. He has also clashed with senior officials, including a recent attempt to remove CISA’s CIO that was blocked by other political appointees.
The ChatGPT episode adds to mounting scrutiny of Gottumukkala’s leadership at an agency charged with defending federal networks against cyber threats from adversaries such as Russia and China.
