Description: Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency (CISA), reportedly uploaded government contracting documents marked "for official use only" into a public version of ChatGPT. The uploads reportedly triggered automated cybersecurity alerts and prompted a Department of Homeland Security review to assess potential exposure of sensitive information.
Editor Notes: Timeline note: The incident ID date of 07/15/2025 reflects the period in mid-July 2025 when sensitive documents were reportedly uploaded to a public AI system; exact upload dates have not been publicly disclosed. Politico published their report on 01/27/2026; the incident ID was created 02/01/2026.
Entities
View all entitiesAlleged: OpenAI developed an AI system deployed by Madhu Gottumukkala, which harmed United States Department of Homeland Security , Cybersecurity and Infrastructure Security Agency , United States Government and National security and intelligence stakeholders.
Alleged implicated AI system: ChatGPT
Incident Stats
Risk Subdomain
A further 23 subdomains create an accessible and understandable classification of hazards and harms associated with AI
2.1. Compromise of privacy by obtaining, leaking or correctly inferring sensitive information
Risk Domain
The Domain Taxonomy of AI Risks classifies risks into seven AI risk domains: (1) Discrimination & toxicity, (2) Privacy & security, (3) Misinformation, (4) Malicious actors & misuse, (5) Human-computer interaction, (6) Socioeconomic & environmental harms, and (7) AI system safety, failures & limitations.
- Privacy & Security
Entity
Which, if any, entity is presented as the main cause of the risk
Human
Timing
The stage in the AI lifecycle at which the risk is presented as occurring
Post-deployment
Intent
Whether the risk is presented as occurring as an expected or unexpected outcome from pursuing a goal
Unintentional
Incident Reports
Reports Timeline
Loading...
The interim head of the country's cyber defense agency uploaded sensitive contracting documents into a public version of ChatGPT last summer, triggering multiple automated security warnings that are meant to stop the theft or unintentional …
Variants
A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.
Seen something similar?
Similar Incidents
Did our AI mess up? Flag the unrelated incidents
Similar Incidents
Did our AI mess up? Flag the unrelated incidents