Madhu Gottumukkala, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA) under President Trump, uploaded sensitive government documents into a public version of ChatGPT last summer, according to four Department of Homeland Security officials familiar with the incident. The uploads triggered internal cybersecurity warnings and led DHS to launch a review to assess whether government systems or sensitive information were compromised.

The files were not classified, but officials said they included CISA contracting materials clearly marked “for official use only.” That designation is used for information considered sensitive and restricted from public release, even if it does not rise to the level of formal classification. Automated cybersecurity monitoring tools flagged the uploads in early August, with one official noting that multiple alerts were generated within the first week.

Trump Administration Cybersecurity Controls and ChatGPT Use

The incident drew particular attention inside DHS because Gottumukkala had requested and received special permission from CISA’s Office of the Chief Information Officer to use ChatGPT shortly after joining the agency in May. At the time, access to the AI chatbot was blocked for most DHS employees due to concerns over data security and the potential for information leakage.

Public versions of ChatGPT differ significantly from government-approved tools. Unlike DHSChat, an internally hosted and secured AI assistant, the public version of ChatGPT shares uploaded data with OpenAI and may use that information to improve responses for other users. OpenAI has stated that ChatGPT has more than 700 million active users globally, increasing the risk that sensitive information could be inadvertently exposed.

Senior DHS officials initiated an internal review after the activity was detected. Two officials said the matter escalated to the DHS level, though it remains unclear what conclusions were ultimately reached or whether disciplinary action followed. Under DHS policy, any exposure of “for official use only” material requires an investigation to determine the cause, potential impact, and whether administrative or disciplinary measures are warranted. Possible outcomes range from retraining to suspension or revocation of security clearances.

Trump-Era AI Policy and Official Response

In an emailed statement, CISA Director of Public Affairs Marci McCarthy said Gottumukkala was “granted permission to use ChatGPT with DHS controls in place” and described the use as “short-term and limited.” She added that CISA supports the responsible use of artificial intelligence in line with President Trump’s executive order aimed at removing barriers to U.S. leadership in AI.

McCarthy also challenged part of the reported timeline. She said Gottumukkala last used ChatGPT in mid-July 2025 under a temporary exception granted to a small group of employees. She emphasized that CISA continues to block ChatGPT by default and only allows access through specific authorization.

After the uploads were flagged, Gottumukkala met with senior DHS leadership to review the materials he had shared. Officials involved in those discussions reportedly included then-acting DHS General Counsel Joseph Mazzara, DHS Chief Information Officer Antoine McCord, CISA CIO Robert Costello, and CISA Chief Counsel Spencer Fisher.

Trump, CISA Leadership, and Growing Scrutiny

Gottumukkala has served as acting head of CISA since May, after being appointed deputy director by DHS Secretary Kristi Noem under the Trump administration. His leadership period has been marked by internal disputes and management challenges. Earlier this year, several career staff members were placed on leave following an unsanctioned counterintelligence polygraph that Gottumukkala advocated. He has also clashed with senior officials, including an unsuccessful attempt to remove CISA’s chief information officer that was blocked by other political appointees.

The ChatGPT incident adds another layer of scrutiny to Gottumukkala’s tenure at an agency tasked with protecting federal networks and critical infrastructure from cyber threats posed by adversaries such as Russia and China. As cyber risks increase and artificial intelligence becomes more embedded in government operations, the episode highlights ongoing tensions between innovation, security controls, and compliance within the Trump-era federal cybersecurity framework.

While DHS has not publicly disclosed the outcome of its review, the case underscores the sensitivity surrounding AI tools in national security environments and the strict standards governing the handling of government information, even when it is not formally classified.