4 min read
What Is Shadow AI? How to Manage it in Your Business
At some point in the last six months, someone on your team used an AI tool to get something done faster. Maybe it was a proposal. A job posting. A...
5 min read
Tony DiDonato : July 6, 2026
In January 2026, a senior official at the U.S. Cybersecurity and Infrastructure Security Agency uploaded internal contracting documents marked "For Official Use Only" into the public version of ChatGPT. Most people might assume that things like this come from junior employees cutting corners.
In reality, it was the agency's own interim chief, at the organization literally tasked with cybersecurity for the federal government. If someone in that seat can get this wrong, the security of ChatGPT needs a more useful answer than yes or no.
The security of the tool depends on which ChatGPT you're talking about. There isn't one ChatGPT. There are at least four, and they behave very differently with your data.
ChatGPT can be secure enough for business use, but only on the right plan and with the right guardrails in place. The free version and personal ChatGPT Plus were built for individuals, not companies, and neither one gives you the data controls a business needs. ChatGPT Team, Business, and Enterprise were built for exactly that, with significant differences in what each one protects.
Treating ChatGPT as a single product is where most business owners go wrong. While it’s one of the most important tools to consider in your complete workplace AI security, it’s not the full picture either. The version your intern signed up for on their phone is not the version your IT provider would set up for the whole company, and the gap between the two is bigger than people expect.
OpenAI sells ChatGPT in several flavors, and the names get thrown around interchangeably even though they're not close to the same thing.
By default, OpenAI does not use conversations from ChatGPT Team, Business, Enterprise, or Edu to train its models. That protection does not extend to the free version or personal Plus accounts, where inputs can be used for training unless a user manually opts out in settings.
Here's how the tiers stack up:
|
Plan |
Trains on your inputs? |
Default retention |
Admin controls |
|
Free / Plus (personal) |
Yes, unless the user opts out |
Stored until deleted, plus 30 days |
None, it's a personal account |
|
ChatGPT Team |
No, by default |
Configurable by workspace |
Basic admin console |
|
ChatGPT Business |
No, by default |
Configurable by workspace |
Admin console, SSO available |
|
ChatGPT Enterprise |
No, by default |
Minimum 90 days, admin-set |
SSO, SCIM, audit logs, encryption key management |
Even on Enterprise, OpenAI holds onto conversation data for a minimum retention window (90 days by default, and up to 30 days after deletion for abuse monitoring on other tiers). During that window, the data can be reviewed for safety purposes and is stored on OpenAI's infrastructure, not yours.
It's also legally reachable. In early 2026, a court ordered OpenAI to turn over tens of millions of ChatGPT conversation logs as part of a legal case. If your team ever discussed something sensitive, a contract dispute, a personnel issue, financial projections, it's worth knowing that conversation may not stay private forever, no matter which plan you're on.
This is where most of the actual risk lives. One 2026 industry estimate found that nearly half of employee LLM prompts contain sensitive company data, and most of that happens on free or personal accounts your company never approved or set up.
That CISA incident from the intro is the extreme version of a very common pattern. An employee needs to move fast, opens ChatGPT on their personal account because it's already logged in, and pastes in something they shouldn't.
This is the same behavior we cover in our post on shadow AI: tools employees adopt on their own, outside of any policy or IT visibility. ChatGPT is usually the biggest offender simply because it's the most well known name in the category.
Here’s some simple steps to help your employees securely use ChatGPT:
ChatGPT isn't inherently unsafe, but it isn't automatically safe either. The difference comes down to which version your team is using and whether anyone set it up on purpose. Most businesses have employees using AI right now, whether it's approved or not.
If you're not sure which ChatGPT plan your team is using, or whether your current setup protects anything at all, that's a conversation worth having before it becomes a bigger problem. Reach out to TMGC and we'll help you figure out where you stand.
If you want a head start before the call, take our AI readiness quiz to learn more about your current posture.
Is ChatGPT Enterprise safe for a small business?
ChatGPT Enterprise is safe for a small business from a controls standpoint, but it's often more than a small team actually needs. Team or Business usually covers the same core protections at a more realistic scale and price.
What's the difference between ChatGPT Team and Business?
Team is the entry-level workspace plan built for small groups. Business adds stronger admin controls and is aimed at companies that need more oversight but aren't ready for the full Enterprise feature set.
Does turning off chat history stop OpenAI from seeing my data?
No. Turning off chat history or using temporary chat stops that conversation from being used to train the model and keeps it out of your visible history, but OpenAI still retains it on their servers for up to 30 days for safety monitoring.
4 min read
At some point in the last six months, someone on your team used an AI tool to get something done faster. Maybe it was a proposal. A job posting. A...
6 min read
Somebody on your team used AI today. Maybe they dropped a client contract into ChatGPT to summarize it. Maybe they pasted a customer list into a...
8 min read
Most businesses reach a point where technology stops being something that just works in the background and starts becoming something that requires...