ChatGPT Enterprise Security: Risks, Incidents, and Protection Strategies

The Samsung Wake-Up Call

In April 2023, Samsung became the cautionary tale every CISO references. Within 20 days of lifting their ChatGPT ban, Samsung engineers accidentally leaked confidential data three separate times.

The Three Incidents

Incident 1: Source Code Leak An engineer pasted proprietary source code into ChatGPT for debugging assistance. That code—potentially including trade secrets—was now part of OpenAI's training data.

Incident 2: Additional Code Sharing A second engineer, unaware of the first incident, shared different proprietary code for optimization suggestions.

Incident 3: Meeting Notes A third employee uploaded internal meeting notes, hoping ChatGPT would help summarize key points.

The Aftermath

Samsung's response evolved rapidly:

1. Initial: 1024-byte prompt limit imposed
2. Final: Complete ChatGPT ban for employees
3. Long-term: Development of internal AI tools

Estimated total loss: €150M including intellectual property value, remediation costs, and reputational damage.

The Internal Survey

Following the incidents, Samsung surveyed employees:

• 65% acknowledged that AI tools pose security risks
• Yet usage continued until the ban was enforced

This disconnect—knowing the risk but using anyway—is the core Shadow AI challenge.

The Broader Problem: By the Numbers

Samsung isn't unique. Cyberhaven's 2024 research across enterprise environments found:

Metric	Value
Employees inputting confidential data to AI	3.1%
Employees using AI without approval	78%
Organizations with AI visibility	13%
AI-related breaches with access control issues	97%

That 3.1% might seem small, but in a 10,000-person company, that's 310 employees regularly sending confidential data to AI tools.

Understanding the Risk Tiers

Tier 1: Free ChatGPT (Highest Risk)

Risk Factor	Status
Data used for training	Yes (by default)
Enterprise controls	None
SSO integration	No
Audit logging	No
Data residency	Not guaranteed
Compliance certifications	Limited

Risk Level: Critical for any sensitive data

Tier 2: ChatGPT Plus (High Risk)

Risk Factor	Status
Data used for training	Opt-out available
Enterprise controls	None
SSO integration	No
Audit logging	No
Data residency	Not guaranteed
Compliance certifications	Limited

Risk Level: High - individual accounts, no oversight

Tier 3: ChatGPT Team (Medium Risk)

Risk Factor	Status
Data used for training	No (excluded)
Enterprise controls	Basic
SSO integration	Yes
Audit logging	Basic
Data residency	Not guaranteed
Compliance certifications	SOC 2

Risk Level: Medium - better controls, still gaps

Tier 4: ChatGPT Enterprise (Managed Risk)

Risk Factor	Status
Data used for training	No (excluded)
Enterprise controls	Comprehensive
SSO integration	Yes (SAML)
Audit logging	Full
Data residency	Configurable
Compliance certifications	SOC 2, GDPR, CCPA

Risk Level: Manageable with proper governance

The Enterprise vs. Free Paradox

Here's the challenge: even if your organization deploys ChatGPT Enterprise, employees can still access free ChatGPT through:

• Personal accounts on work devices
• Work devices on personal networks
• Personal devices on work networks
• Mobile phones

Enterprise deployment doesn't eliminate Shadow AI—it just provides a controlled alternative.

Technical Controls That Work

1. Network-Level Controls

What: Block or monitor AI domains at the network level How: Proxy, firewall, or CASB rules

text
# Example: AI domain blocking list
api.openai.com
chat.openai.com
claude.ai
gemini.google.com
perplexity.ai

Limitation: Employees can use mobile networks or VPNs

2. DLP for AI Traffic

What: Inspect traffic to AI services for sensitive data How: DLP policies targeting AI domains

Effective For:

• Detecting specific data patterns (credit cards, SSNs)
• Blocking known confidential keywords
• Alerting on high-volume paste operations

Limitation: Can't understand context or intent

3. Browser Isolation

What: Run AI tools in isolated browser environments How: Remote browser isolation (RBI) solutions

Effective For:

• Preventing copy-paste of sensitive data
• Blocking downloads from AI tools
• Audit logging all AI interactions

Limitation: Impacts user experience significantly

4. Endpoint Controls

What: Monitor and control AI tool usage on endpoints How: EDR/XDR with AI-specific rules

Effective For:

• Detecting AI application installations
• Monitoring clipboard for AI-bound data
• Enforcing AI policies on managed devices

Limitation: No control over unmanaged devices

Policy Controls That Work

Acceptable Use Policy

Define clear boundaries:

text
APPROVED AI TOOLS:
- ChatGPT Enterprise (for non-sensitive tasks)
- Internal AI Assistant (for all tasks)

PROHIBITED:
- Free ChatGPT, Claude, Gemini (personal accounts)
- Any AI tool not on approved list

NEVER INPUT:
- Source code
- Customer data
- Financial information
- Strategic documents
- Meeting recordings

Training Requirements

Topic	Frequency	Audience
AI acceptable use	Quarterly	All employees
AI risk awareness	Onboarding	New hires
Secure AI development	Monthly	Engineers
AI incident response	Semi-annual	Security team

Incident Response

Prepare for AI-related incidents:

1. Detection: How will you know data leaked to AI?
2. Containment: Can you revoke AI access quickly?
3. Assessment: How do you evaluate exposure?
4. Notification: Who needs to know (regulators, customers)?
5. Remediation: What changes prevent recurrence?

The EU AI Act Dimension

Since August 2025, the EU AI Act adds compliance requirements:

AI Literacy (Active)

Organizations must ensure employees understand AI risks before deployment.

Transparency (Coming August 2026)

Users must be informed when they're interacting with AI systems.

Documentation (Coming August 2026)

High-risk AI systems require technical documentation.

ChatGPT in regulated industries (healthcare, finance, HR) may qualify as high-risk, requiring:

• Risk assessments
• Human oversight provisions
• Accuracy and robustness guarantees
• Audit trails

Building Your Protection Strategy

Step 1: Visibility

Before you can protect, you need to see. Identify:

• Which AI tools employees use
• What data goes to those tools
• How frequently
• Who (by department/role)

Step 2: Alternatives

Blocking without alternatives drives workarounds. Provide:

• Approved AI tools (ChatGPT Enterprise, etc.)
• Clear use cases for each tool
• Fast approval process for new tools

Step 3: Controls

Layer your defenses:

• Network: Monitor/block AI domains
• Endpoint: Detect AI applications
• Data: DLP for AI traffic
• Identity: SSO for approved tools

Step 4: Training

Technology alone isn't enough:

• Regular AI security awareness
• Role-specific guidance
• Incident examples (like Samsung)
• Clear escalation paths

Step 5: Governance

Ongoing management:

• Regular policy reviews
• New tool evaluations
• Incident tracking
• Compliance monitoring

Start With Assessment

You can't secure what you don't understand. Our Shadow AI Audit gives you:

• Estimated ChatGPT/AI usage in your organization
• Risk quantification in financial terms
• Gap analysis against best practices
• Prioritized protection roadmap

5 minutes. Free. Anonymous results.

Samsung's €150M lesson can be your prevention—if you act before the incident.