IA en la sombra · Perfil de riesgo
ChatGPT.
por OpenAI · generative ai · Verificado April 19, 2026
Web del proveedorBase risk
4.0/ 5
LowMediumHighCritical
ChatGPT on free and Plus tiers retains conversation data and may use it to improve OpenAI models unless users explicitly opt out, making it a leading source of accidental disclosure of customer PII, source code, and unreleased commercial information. ChatGPT Enterprise and Team eliminate training on inputs and add SOC 2 controls, SSO, and admin governance — but only if your company has actually procured the right tier and migrated employees away from personal accounts. The most common shadow AI failure pattern in 2025 is teams believing they have ChatGPT Enterprise when half the organisation is still using personal Plus accounts on corporate machines.
Tier comparison
Same logo. Very different risks.
Free
high- Trains on inputs
- Yes
- Retention
- 30 days
- SSO
- No
- Admin controls
- No
Paid · consumer
high- Trains on inputs
- Yes
- Retention
- 30 days
- SSO
- No
- Admin controls
- No
Enterprise · team
medium- Trains on inputs
- No
- Retention
- 0 days
- SSO
- Yes
- Admin controls
- Yes
Safer alternatives
Drop-in replacements our research team recommends.
Claude
generative ai
Anthropic’s assistant family with strong reasoning, long context, and Computer Use.
Microsoft 365 Copilot
native suite
Microsoft’s tenant-bounded Copilot across Word, Excel, PowerPoint, Outlook, Teams.
Google Gemini for Workspace
native suite
Gemini integrated into Gmail, Docs, Sheets, Meet, Drive — tenant-bounded.
Preguntas frecuentes
Preguntas sobre ChatGPT.
Does ChatGPT use my data to train its models?
On the free and Plus consumer tiers, yes — unless you switch off "Improve the model for everyone" in settings or use Temporary Chats. ChatGPT Enterprise, Team, and API traffic are not used for training by default.
Is ChatGPT compliant with HIPAA or other regulated data regimes?
Only ChatGPT Enterprise and the OpenAI API (with a signed BAA) are positioned for regulated data. Consumer ChatGPT is not HIPAA-compliant, and PHI should not be entered.
How can we tell whether employees are on ChatGPT Enterprise versus their own accounts?
Run an SSO and OAuth audit (the workspace scan in this audit does that for Google Workspace), check expense reports for personal Plus charges, and use a CASB/SSE to identify chat.openai.com traffic that is not authenticated through your enterprise SSO.
What controls should we put around ChatGPT?
Mandate enterprise-tier accounts via SSO, block personal-account logins on corporate networks, publish an Acceptable Use Policy, and require DLP on the OpenAI domain.
Audite su IA en la sombra
¿ChatGPT está activo en su organización
junto a herramientas que IT no conoce?
Ejecute una auditoría gratis de 12 minutos y salga con una lista de bloqueo para importar.
Buzzi.ai publica perfiles con fines informativos. Valide siempre los términos con el proveedor.