DHS investigates Head of US Cyber Defence Agency Gottumukkala After Uploading Sensitive Docs to ChatGPT

The man responsible for protecting America's federal networks from sophisticated cyber threats is now at the centre of a Department of Homeland Security (DHS) investigation after uploading sensitive government documents to a public version of ChatGPT, raising urgent questions about data sovereignty at the peak of the US security apparatus.

Madhu Gottumukkala, Acting Director of the Cybersecurity and Infrastructure Security Agency (CISA), triggered multiple automated security alerts last summer when he inputted internal contracting materials marked 'For Official Use Only' (FOUO) into OpenAI's publicly accessible platform despite broad restrictions on its use across by DHS, according to Politico, which first reported the story, citing four DHS officials.

The irony is striking: the official tasked with defending the United States against foreign cyber adversaries apparently bypassed his own agency's security protocols to experiment with an AI tool already blocked for most federal employees.

The activity, which occurred shortly after Gottumukkala assumed leadership in May, is now the subject of a formal damage assessment by federal authorities. The disclosure has sparked serious concern inside Washington about data governance, executive judgment and the risks of senior officials experimenting with consumer AI tools while overseeing national cyber defence.

The episode has now become a test case for how far federal leaders can go in adopting artificial intelligence without breaching security protocols.

Sensitive Government Documents Shared On Public Platform

The incident came to light after CISA's internal cybersecurity monitoring systems flagged the uploads in August 2025, recording several alerts within the first week of activity. Though the documents were not formally classified, their designation as 'For Official Use Only' signifies sensitivity and a clear expectation that they remain within controlled environments.

Under federal cybersecurity policy, such markings indicate that material is not intended for public disclosure and is subject to strict handling protocols. Public versions of ChatGPT, operated by OpenAI, process user inputs in ways that could incorporate uploaded information into their responses or training processes, exposing that material to a vast global user base, including foreign intelligence services.

Gottumukkala's use of the public platform was notable because access to ChatGPT was blocked for most Department of Homeland Security employees at the time on security grounds. According to officials with direct knowledge of the matter, he had requested and obtained a special exception from CISA's Office of the Chief Information Officer shortly after he assumed leadership of the agency in May 2025.

The decision to use the public ChatGPT rather than an approved internal tool was central to the DHS investigation. Federal agencies have developed in-house AI systems, such as DHSChat, designed to prevent sensitive inputs from leaving secure government networks.

Internal Investigation And DHS Review

Automated security alerts triggered by Gottumukkala's uploads prompted senior DHS leadership to launch a full internal review to determine if the disclosures had compromised national security or violated internal policies.

It remains unclear what findings, if any, the review has produced or whether any formal conclusions have been reached about potential harm to government systems.

Following detection, Gottumukkala met with senior officials, including the then-acting general counsel of DHS, Joseph Mazzara, and the department's chief information officer, Antoine McCord, to assess what material had been uploaded and whether any remedial action was necessary.

In a statement to Politico shared with media outlets, CISA's Director of Public Affairs, Marci McCarthy, said that Gottumukkala had 'been granted permission to use ChatGPT with DHS controls in place,' and characterised it as a 'short-term and limited' experiment in using artificial intelligence tools.

Her account also disputed elements of external reporting, suggesting that Gottumukkala 'last used ChatGPT in mid-July 2025 under an authorised temporary exception,' and emphasised that CISA's default position is to block access to public AI platforms absent a specific exception.

The Man At The Centre Of The Storm

Madhu Gottumukkala, born in the southern Indian state of Andhra Pradesh and educated in engineering and information systems, has served as Acting Director of CISA since May 2025 after a series of roles in state and federal information technology.

As the senior political appointee at CISA, he oversees efforts to protect the United States' federal networks and critical infrastructure from sophisticated cyber threats, including those attributed to state-sponsored adversaries.

Before his appointment to CISA, Gottumukkala served as South Dakota's Chief Information Officer and was later named Commissioner of the South Dakota Bureau of Information and Telecommunications. His leadership at CISA has been marked by turbulence.

Previous reporting indicates that at least six career staff were placed on leave after Gottumukkala pushed for, and then failed, a counterintelligence polygraph exam, a matter that drew scrutiny among career officials.

During congressional testimony in late January 2026, Gottumukkala rejected characterisations of those earlier incidents, stating that he did 'not accept the premise of that characterisation' when questioned about the polygraph and subsequent personnel actions. He also faced internal organisational conflict when attempting to remove CISA's Chief Information Officer, Robert Costello — a move that other political appointees reportedly blocked.

While the internal review's final conclusions remain undisclosed, the incident has highlighted tensions between the rapid adoption of emerging technologies and the strict protocols required to safeguard critical infrastructure. As CISA continues its mission to protect federal networks from state-sponsored adversaries in Russia and China, the accountability of its own leadership remains under intense scrutiny by both lawmakers and career cybersecurity professionals.