The acting leader of America’s primary cybersecurity defense agency uploaded at least four documents marked as sensitive government information to the public version of ChatGPT last summer, triggering internal security warnings and prompting a review by Department of Homeland Security officials.
Madhu Gottumukkala, who has led the Cybersecurity and Infrastructure Security Agency since May, transferred CISA contracting materials labeled “for official use only” into the widely used artificial intelligence platform, according to four DHS officials familiar with the situation.
According to sources, while the files were not classified, the designation indicates information intended to remain within government channels rather than being shared publicly.
The disclosure proved particularly notable given Gottumukkala’s position overseeing an agency tasked with defending federal networks against sophisticated cyber threats from foreign adversaries including Russia and China. His role involves safeguarding the same type of sensitive information he allegedly mishandled.
Gottumukkala had requested and received special authorization to use ChatGPT shortly after joining CISA in May, despite the tool being restricted for most DHS personnel at that time. Three officials confirmed he obtained clearance from CISA’s Office of the Chief Information Officer that other employees did not have access to.
Internal cybersecurity systems at CISA identified the uploads in August, generating multiple alerts during the first week of that month. A routine audit examining prompts transmitted to the service revealed the violations, leading DHS leadership to launch an internal assessment. Whether that review concluded or what consequences resulted remains unknown.
One official expressed sharp criticism of the situation, saying Gottumukkala “forced CISA’s hand into making them give him ChatGPT, and then he abused it.”
Information entered into the public ChatGPT platform is transmitted to OpenAI, where it may be incorporated into training data or used to improve responses for the service’s more than 700 million active users worldwide. This stands in contrast to AI tools approved for DHS use, such as the department’s internal DHSChat system, which are engineered to ensure queries and documents remain within federal systems.
Marci McCarthy, CISA’s director of public affairs, defended Gottumukkala in a statement, saying he “was granted permission to use ChatGPT with DHS controls in place,” and describing the use as “short-term and limited.”
McCarthy disputed the reported timeline, stating: “Acting Director Dr. Madhu Gottumukkala last used ChatGPT in mid-July 2025 under an authorized temporary exception granted to some employees. CISA’s security posture remains to block access to ChatGPT by default unless granted an exception.”
The statement also emphasized the agency’s commitment to “harnessing AI and other cutting-edge technologies to drive government modernization” in line with Trump administration priorities on artificial intelligence leadership.
Following detection of the uploads, Gottumukkala met with senior DHS officials to examine what information had been shared. Joseph Mazzara, then serving as acting general counsel for DHS, participated in evaluating potential impacts on the department, according to one official. Another source indicated DHS Chief Information Officer Antoine McCord also took part in the response.
In August, Gottumukkala held additional meetings with CISA CIO Robert Costello and Chief Counsel Spencer Fisher to address the incident and review proper handling procedures for “for official use only” materials, the four officials said.
Department policy requires security officials to investigate both the circumstances and consequences of any exposure involving official-use material, along with determining appropriate administrative or disciplinary responses. Federal employees receive training on proper handling of sensitive information, and potential consequences for mishandling can range from additional training or formal warnings to more serious measures including suspension or revocation of security clearances.
All four officials requested anonymity due to concerns about retaliation.
Gottumukkala assumed his acting role at CISA after DHS Secretary Kristi Noem appointed him deputy director in April. Trump’s nominee to permanently lead the agency, DHS adviser Sean Plankey, previously had his confirmation delayed by Sen. Rick Scott over an unrelated Coast Guard shipbuilding matter, and no new hearing has been scheduled.
His tenure at CISA has faced scrutiny beyond the ChatGPT incident. Earlier this year, at least six career employees were placed on leave following a counterintelligence polygraph examination that Gottumukkala requested.
DHS later characterized that exam as “unsanctioned.” During a congressional hearing last week, when asked whether he was “aware” of not passing the test, Gottumukkala responded twice that he did not “accept the premise of that characterization.”
More recently, Gottumukkala reportedly attempted to remove Costello from his CIO position, though other political appointees intervened to prevent the action.
