Base risk
4.0/ 5
LowMediumHighCritical
ChatGPT on free and Plus tiers retains conversation data and may use it to improve OpenAI models unless users explicitly opt out, making it a leading source of accidental disclosure of customer PII, source code, and unreleased commercial information. ChatGPT Enterprise and Team eliminate training on inputs and add SOC 2 controls, SSO, and admin governance — but only if your company has actually procured the right tier and migrated employees away from personal accounts. The most common shadow AI failure pattern in 2025 is teams believing they have ChatGPT Enterprise when half the organisation is still using personal Plus accounts on corporate machines.
Tier comparison
Same logo. Very different risks.
Free
high- Trains on inputs
- Yes
- Retention
- 30 days
- SSO
- No
- Admin controls
- No
Paid · consumer
high- Trains on inputs
- Yes
- Retention
- 30 days
- SSO
- No
- Admin controls
- No
Enterprise · team
medium- Trains on inputs
- No
- Retention
- 0 days
- SSO
- Yes
- Admin controls
- Yes
Safer alternatives
Drop-in replacements our research team recommends.
Claude
generative ai
Anthropic’s assistant family with strong reasoning, long context, and Computer Use.
Microsoft 365 Copilot
native suite
Microsoft’s tenant-bounded Copilot across Word, Excel, PowerPoint, Outlook, Teams.
Google Gemini for Workspace
native suite
Gemini integrated into Gmail, Docs, Sheets, Meet, Drive — tenant-bounded.
FAQ
Questions teams ask about ChatGPT.
Does ChatGPT use my data to train its models?
On the free and Plus consumer tiers, yes — unless you switch off "Improve the model for everyone" in settings or use Temporary Chats. ChatGPT Enterprise, Team, and API traffic are not used for training by default.
Is ChatGPT compliant with HIPAA or other regulated data regimes?
Only ChatGPT Enterprise and the OpenAI API (with a signed BAA) are positioned for regulated data. Consumer ChatGPT is not HIPAA-compliant, and PHI should not be entered.
How can we tell whether employees are on ChatGPT Enterprise versus their own accounts?
Run an SSO and OAuth audit (the workspace scan in this audit does that for Google Workspace), check expense reports for personal Plus charges, and use a CASB/SSE to identify chat.openai.com traffic that is not authenticated through your enterprise SSO.
What controls should we put around ChatGPT?
Mandate enterprise-tier accounts via SSO, block personal-account logins on corporate networks, publish an Acceptable Use Policy, and require DLP on the OpenAI domain.
Audit your shadow AI
Is ChatGPT live in your org
alongside tools IT doesn’t know about?
Run a free 12-minute audit to surface every shadow AI tool on your network, score the risk, and walk away with a block-list your IT team can import.
Buzzi.ai publishes tool risk profiles for informational purposes only. Always validate terms with the vendor before operational decisions.