Is employee ChatGPT monitoring legal?

In most jurisdictions, monitoring of work-related AI tool usage on enterprise infrastructure is permissible where the enterprise discloses the monitoring in the acceptable use policy and the employee handbook. EU jurisdictions add GDPR requirements on the legal basis for the monitoring, typically legitimate interest balanced against employee privacy expectations. Member state works councils may have consultation rights. The legal analysis is jurisdiction-specific; the technical inspection is the same.

Does ChatGPT Enterprise solve the monitoring problem?

ChatGPT Enterprise provides admin controls, SSO integration, no training on customer prompts, and audit logging from the OpenAI side. The visibility is into the sanctioned ChatGPT Enterprise tenant. Employees using personal ChatGPT accounts on the same enterprise device sit outside this tenant. The Enterprise tier solves the sanctioned-tool record but does not address the unsanctioned-tool gap.

What's the difference between monitoring and enforcement?

Monitoring records the event. Enforcement decides whether the event happens. A monitoring-only architecture lets the prompt reach the model and produces a log the CISO can review later. An enforcement architecture evaluates the prompt against policy before the model call and blocks the prompt where the policy rejects it. The enforcement architecture also produces the contemporaneous record.

How does this work for browser-based ChatGPT usage?

Browser-based usage where the corporate root CA is installed is in scope for SSL inspection. The inspection produces a content record but lacks the enterprise identity context. An inline AI proxy can be wired in through a corporate browser extension that routes ChatGPT traffic through the proxy regardless of the user's account. The browser extension produces the identity context and the classification at request time.

What about ChatGPT mobile app usage?

Mobile app usage where the user is signed in to a personal account on a personal device is outside the enterprise's inspection scope. The enterprise can monitor the network egress where the device is on the corporate Wi-Fi but the application TLS pinning typically prevents content inspection. The risk control here is policy and acceptable use, plus separation of work data from personal devices through MAM or BYOD policy.

Employee ChatGPT Monitoring: The Inspection Points That Actually See Prompt Content (and the Ones That Miss It)

Cloud Radix reports that 78% of employees use unauthorized AI tools at work and 77% of those employees admit to pasting sensitive business data into unsanctioned prompts. ChatGPT is the most-used tool across the enterprise sample because the consumer account requires only an email address. IBM's Cost of Data Breach Report puts the incremental cost of shadow-AI-linked breaches at $670,000 with a 247-day average detection time. Employee ChatGPT monitoring is the operational response, and the monitoring landscape includes five separable telemetry surfaces. Two of them see the prompt content. Two of them see only the connection. One of them sees only the authentication event. The choice of which surface to deploy decides whether the monitoring record actually contains what a board, an auditor, or a regulator will ask for.

I want to walk through the five surfaces, what each one produces, what the record is missing, and the architecture that produces the contemporaneous identity, classification, and policy state a regulator accepts.

The five inspection surfaces

The five surfaces differ in placement, what they capture, and what they cost to operate.

Endpoint agent (EDR or DLP)

An endpoint agent installed on the managed laptop can detect launches of ChatGPT desktop applications, browser extensions that interact with chat.openai.com, and clipboard operations into recognized AI-tool windows. The agent sees what runs on the device. The agent does not see browser-based ChatGPT usage on a personal device, on a contractor laptop without the agent, or on a mobile device outside MDM. The agent can record clipboard content where the policy permits, which gives partial visibility into what the employee tried to paste.

Network DNS resolution

DNS query logs at the corporate resolver show requests for chat.openai.com, api.openai.com, claude.ai, gemini.google.com, and the long tail of AI tool domains. The log records the device, the timestamp, and the resolved domain. The log does not record the user identity, the prompt content, or the response. DNS detection is cheap and broad but reads only at the domain level.

SSL inspection

TLS-break infrastructure at the network egress decrypts and inspects HTTPS traffic to AI provider domains where the corporate root CA is installed on the client device. The inspection sees the prompt and the response in plain text. The inspection requires acceptance of the man-in-the-middle posture by the application TLS pinning behavior. ChatGPT desktop applications and the mobile apps for OpenAI's products typically pin TLS and refuse the corporate root CA. The browser-based ChatGPT usage on managed devices with the corporate CA installed is in scope; the mobile app and the desktop app usage are not.

Identity provider sign-in logs

The IdP logs sign-ins to OpenAI's enterprise SSO when the enterprise has provisioned ChatGPT Enterprise or Team. The log records the user and the timestamp. The log does not record the prompts that follow. The IdP log is a coverage signal for the sanctioned tier, not a detection mechanism for unsanctioned use through personal accounts.

Inline AI request proxy

An inline proxy on the HTTP path between the calling identity and the OpenAI API endpoint terminates the TLS at the proxy, reads the request body, evaluates identity-bound policy, applies a pass, redact, or block decision, commits the per-decision audit record, and forwards the request to the model. The proxy sees prompt content, identity context, classification, policy state, and decision outcome in a single record. The deployment requires routing AI request traffic through the proxy, which the enterprise achieves through network policy, SDK configuration, or browser extension.

Where the first three surfaces miss prompt content

The first three surfaces detect the connection but miss the substance.

Endpoint agents miss BYOD and personal devices

The agent runs on managed devices. The 78% Cloud Radix figure for unauthorized AI usage includes employees who use personal devices, personal hotspots, or contractor laptops. The agent's coverage is bounded by the device fleet.

DNS logs see the domain, not the prompt

DNS resolution happens before the TLS handshake. The DNS log records api.openai.com as the resolved domain. The log does not record what the user pasted into the prompt. A monitoring program that depends on DNS detection produces a usage signal but not a content record.

SSO logs see sign-in, not usage

The IdP records the sign-in event for sanctioned ChatGPT Enterprise users. The IdP does not record the prompts or the responses. Most unsanctioned ChatGPT usage happens outside the IdP path entirely, on personal accounts that authenticate through OpenAI directly.

The audit record gap in the first three surfaces means the CISO can answer "did the employee connect to ChatGPT" but cannot answer "what did the employee paste." The board's actual question and the regulator's actual question concern the content.

What an audit-grade record contains

A monitoring record that survives a regulatory inquiry under EU AI Act Article 19 or DORA Article 19 must contain the period of use (timestamps), the input data (prompt content or classification of the content), and the identity of natural persons involved. The record must persist independently of the application that generated the prompt and must be tamper-evident.

The first three surfaces produce records that capture the connection. The SSL inspection surface produces records that capture the content but lack the enterprise identity context the IdP holds. The inline proxy surface produces records that capture content, identity, classification, policy state, and decision outcome in a single artifact.

Governing employee ChatGPT usage

The architecture that produces the audit-grade record is the same architecture that enforces policy at decision time. Detection without enforcement leaves the enterprise with a log of what happened. Enforcement at the AI request boundary blocks the sensitive prompt before it reaches the model and commits the record contemporaneously.

The four operational components are AI traffic identification, identity mapping at the request layer, prompt-level classification before the model call, and inline policy enforcement that decides pass, redact, or block per request. The components run on the inline proxy surface.

DeepInspect

This is the gap DeepInspect closes. DeepInspect sits at the AI request boundary as an external enforcement layer that operates as a stateless proxy between authenticated users or agents and the OpenAI API endpoint (or any other LLM endpoint). Every HTTP request is evaluated against per-route, per-role policies using identity context the calling application supplies. The per-decision audit record is committed by the proxy before the model response returns.

The record contains a verified identity for the requester, the role and authorization context, the data classification applied to the prompt, the AI vendor and model actually called, the policy version that governed the decision, the decision outcome, and a cryptographic signature that prevents post-hoc modification. The CISO produces the content record and the connection record from a single source.

Book a demo today.