The Cybersecurity and Infrastructure Security Agency exists to protect government networks from foreign adversaries and cybercriminals. It’s serious work, and the people who do it tend to take it seriously because the consequences of failure are measured in national security and public safety.

So when I read that the acting director of CISA uploaded sensitive contracting documents marked “for official use only” to a public version of ChatGPT, I had to read the story twice. This is the kind of mistake you might expect from an intern who hasn’t completed their security training, not the person running the agency responsible for American cyber defense.

Let me be clear about what happened. Madhu Gottumukkala, who has led CISA since May 2025, obtained special permission to use ChatGPT, which most Department of Homeland Security employees are prohibited from accessing. Most DHS staff work with approved internal tools designed to prevent sensitive information from leaving government networks. But Gottumukkala wanted the public version instead, got his way, and then uploaded documents that triggered automated security alerts (Rascius, 2026).

FOUO means “For Official Use Only.” This designation is not as restrictive as classified information, but it still means the material is sensitive and could harm national security if disclosed. Data entered into ChatGPT’s public version can be exposed to the platform’s nearly one billion users. When you paste sensitive government documents into a commercial AI system, you are essentially broadcasting that information globally.

This is not a partisan issue. What we are discussing is a fundamental failure of operational security by someone who should know better. The head of an agency charged with preventing cyberattacks just demonstrated careless handling of sensitive information. The logic is simple: if you cannot protect your own documents, how can you protect critical infrastructure?

The pattern here is troubling. This is the same acting director who reportedly failed a polygraph test when seeking access to highly sensitive intelligence programs. Following that failure, at least six career CISA staff members were placed on administrative leave while the department investigated whether they misled leadership about the polygraph requirement. Career staff described Gottumukkala’s tenure as “a nightmare” and said they feel they are working in a sinking ship (Palmer et al., 2025).

I want to focus on something that deserves more attention. According to reporting from Ars Technica, career staff at CISA had to push back against Gottumukkala on policy matters. The agency’s chief information officer, Robert Costello, was reportedly given one week to either accept a transfer or resign after being involved in meetings about Gottumukkala’s improper ChatGPT use. This is significant because Costello is described as one of the agency’s top remaining technical talent, and the reassignment was only blocked after other appointees objected (Belanger, 2026).

What we are witnessing is the systematic dismantling of institutional competence. Career professionals who understand the rules are being pushed out or punished for doing their jobs correctly. The person left in charge then proceeds to violate the very security protocols he should be enforcing.

This should alarm anyone who cares about effective government, regardless of political affiliation. The acting head of America’s cyber defense agency uploaded sensitive materials to a public AI platform, triggered security alerts, and then watched as the career staff who tried to prevent exactly this kind of incident were placed on administrative leave. That is not how national security agencies should operate. And the people who perpetuate this kind of culture should not be running agencies they do not seem to understand.


You can read Brendan’s solid reporting here: https://www.independent.co.uk/news/world/americas/us-politics/trump-cyber-security-sensitive-materials-chatgpt-b2909704.html

---

Works Cited

Belanger, A. (2026, January 28). US cyber defense chief accidentally uploaded secret government info to ChatGPT. *Ars Technica*. https://arstechnica.com/tech-policy/2026/01/us-cyber-defense-chief-accidentally-uploaded-secret-government-info-to-chatgpt/

Palmer, A., Sherman, A., & Daniels, C. (2025, December 21). Acting CISA director failed a polygraph. Career staff are now under investigation. *Politico*. https://www.politico.com/news/2025/12/21/cisa-acting-director-madhu-gottumukkala-polygraph-investigation-00701996

Rascius, B. (2026, January 28). Trump’s head of cyber security uploaded ‘sensitive’ materials to a public ChatGPT. *The Independent*. https://www.independent.co.uk/news/world/americas/us-politics/trump-cyber-security-sensitive-materials-chatgpt-b2909704.html