Artificial Intelligence & Machine Learning
,
Next-Generation Technologies & Secure Development
CISA Defends Director’s Use of AI Tool Despite Internal Compliance Review
The acting chief of the U.S. Cybersecurity and Infrastructure Security Agency’s use of ChatGPT to upload “for official use only” documents has reignited concerns among public sector cybersecurity veterans over artificial intelligence governance and leadership judgement at the nation’s cyber defense agency.
See Also: A CISO’s Perspective on Scaling GenAI Securely
The activity involved CISA Acting Director Madhu Gottumukkala and occurred in mid-2025, according to people familiar with the matter. While the materials were not classified, they were restricted from public dissemination and were uploaded into a public instance of ChatGPT, triggering internal alerts. The incident was first reported by Politico.
The acting director’s use of ChatGPT involving the sensitive documents was reportedly identified through internal agency cybersecurity monitoring, prompting a review to determine whether the activity posed security or compliance risks. The outcome of that review has not been publicly disclosed.
AJ Grotto, a former senior White House director for cyber policy during the Obama and Trump administrations, described the allegations against Gottumukkala as “troubling” and said foreign adversaries “enthusiastically exploit mistakes like the one alleged here.”
“Experimentation is essential, but experiments are meant to be carried out in a controlled environment,” he added. “The federal government has a hard enough time already defending its networks against a constant barrage of cyberattacks.”
CISA said the use was authorized. In a statement sent to Information Security Media Group, Director of Public Affairs Marci McCarthy said Gottumukkala “was granted permission to use ChatGPT with DHS controls in place,” describing the access as short-term and limited. McCarthy said CISA remains committed to using AI to support modernization efforts under the administration’s AI executive order.
Officials who spoke on background said Gottumukkala last used ChatGPT in mid-July 2025 under a temporary exception granted to some employees. CISA’s default security posture continues to block access to ChatGPT unless an exception is approved.
Some AI governance experts said the detection itself reflects a relatively strong control environment. Andrew Gamino-Cheong, co-founder and CTO of Trustible, said many organizations lack visibility into how public AI tools are used by employees.
“Catching that, and having the organizational processes to address it, is a sign of very high AI governance maturity,” Gamino-Cheong said, adding that shadow AI remains a growing challenge across both government and industry.
Gamino-Cheong said the broader challenge across government is not eliminating all AI risk but managing it as tools evolve faster than policy. He noted that the administration is pushing agencies toward sanctioned AI tools in part because blanket bans often drive unsanctioned use at scale.
Other experts say agencies need to move faster to provide safer alternatives rather than relying on temporary exceptions. Darren Kimura, CEO and president of AI Squared, said experimentation should be confined to tightly controlled environments.
“Agencies must create sanctioned sandbox environments with synthetic or declassified data for experimentation rather than imposing blanket bans that drive shadow IT,” said Kimura.
Former CISA officials said the agency historically took a conservative approach to AI-assisted services, particularly those hosted outside government infrastructure. Two former staffers said that teams generally avoided such tools unless explicit approval was granted.
There were strict guidelines – “and a ton of hesitation,” one former staffer said. “If it wasn’t clearly authorized and encouraged, people just didn’t use it.”
The ChatGPT episode comes at a time when CISA is under heightened scrutiny following a bruising year for the agency. CISA has been without a Senate-confirmed director for nearly a year, with Gottumukkala serving in an acting capacity amid broader delays in leadership confirmations across the administration (see: No Vote, No Leader: CISA Faces 2026 Without a Director).
That leadership vacuum has coincided with a period of sustained turnover at the agency, including the departure of multiple senior executives and career officials following budget pressure, reorganization efforts and workforce reductions (see: CISA Is ‘Trying to Get Back on Its Mission’ After Trump Cuts).
Lawmakers have repeatedly pressed CISA leadership on whether staffing levels, governance structures and internal controls remain sufficient as foreign adversaries intensify cyber operations targeting U.S. critical infrastructure.