Last updated: June 2026.

ChatGPT Agent can read data and take actions inside connected apps like Gmail, GitHub, and Google Drive on a user’s behalf. That access creates real risk. A prompt injection can redirect the agent. An over-broad connector can reach more than the task needs. An unreviewed action can move data or money. Data residency, retention, and action-level audit evidence add further questions. The controls that answer them sit at the AI interaction and the tool call, not the destination.

What ChatGPT Agent actually does with connected apps

ChatGPT Agent does not stop at answering questions. It reads from your connected apps and takes actions inside them. It runs on its own virtual computer with a visual browser, a text browser, a terminal, and direct application programming interface (API) access, and it connects to apps so it can pull in relevant information and act on it. OpenAI describes the release as the first time users can ask ChatGPT to take actions on the web (OpenAI, 2025).

Connect an app like Gmail or GitHub and, once authenticated, the agent can summarize an inbox or find an open meeting slot. To act on a site, it may take over the browser to log in. As of December 2025, OpenAI renamed connectors to apps: apps let ChatGPT read information and take actions in connected services (OpenAI, 2026). Business and Enterprise workspaces can go further and build custom apps on the Model Context Protocol (MCP), so ChatGPT can call approved tools and write back to internal systems.

This is not an edge case. AI adoption is near-universal, with 88 percent of organizations now using AI (Stanford HAI, 2026). A sanctioned, licensed ChatGPT Agent wired into enterprise apps is a question most security teams will face, not a hypothetical, which is why the risks below deserve a control plan rather than a ban.

The connector permissions you control, and the gaps they leave

ChatGPT Agent ships with real admin controls, and they still leave gaps that matter for regulated data. App permissions decide when ChatGPT must ask before using an app, with three modes: ask before any action, ask before changes, or the default that reads automatically and asks only before important actions (OpenAI, 2026). Agent mode is off by default for Enterprise workspaces, admins choose which apps and which roles can use it, and a workspace blocklist applies to both browsing and connectors. Workspace agents can authenticate as the end user or as a shared, agent-owned account, and write actions default to ask.

Those defaults still leave room for trouble. The default mode reads from connected apps automatically, so the agent can pull data before anyone approves a step. A connector grants standing access scoped at connect time, and that scope often exceeds the immediate task. A user’s personal ChatGPT account sits outside workspace controls, so the same person can route the same data through an unmanaged tenant. Custom MCP apps add tools an admin has to vet, and OpenAI warns that connecting to untrusted MCP servers increases exposure, including to prompt injection.

You also have to know which connections exist. The Cloud Security Alliance found that only 21 percent of organizations maintain a real-time inventory of their active AI agents (Cloud Security Alliance, 2026). Connected apps are exactly the kind of access that accumulates unseen, so the first control is a current catalog of every app, server, and agent in use.

Prompt injection turns a connected app into an exfiltration path

Prompt injection is the risk that turns ChatGPT Agent’s connected apps from a convenience into an exfiltration path. In an indirect prompt injection, malicious instructions hide inside content the agent reads, such as a web page, an email, or a document. OpenAI’s own example is direct: while researching, the agent could encounter a malicious comment that tells it to retrieve a password reset code from Gmail and send it to an attacker’s site. OpenAI says it placed particular emphasis on this risk and that no system is foolproof (OpenAI, 2026).

The proof is already on the record. In 2025, the EchoLeak flaw (CVE-2025-32711) showed a connected AI assistant turned against its own data: a single crafted email triggered zero-click data exfiltration from Microsoft 365 Copilot, with no user interaction (NVD, 2025). The same class of attack applies to any agent that both reads untrusted content and holds connected-app access. OWASP lists prompt injection as the top risk in its 2025 Top 10 for LLM Applications (LLM01), with Sensitive Information Disclosure (LLM02) and Excessive Agency (LLM06) close behind (OWASP, 2025). Connected apps raise all three at once.

Aurascape’s own threat research found SilentBridge, a class of zero-click indirect-injection flaws in Meta’s Manus agent. Three variants, each rated 9.8 out of 10, were responsibly disclosed and fixed before publication (Aurascape, 2026). The agent does not need to be compromised in the malware sense. It does what it was built to do, on instructions it should never have trusted.

Sensitive actions, data residency, and retention raise the stakes

Once ChatGPT Agent can act, the risk shifts from data leaving to actions taken. The agent fills forms, edits spreadsheets, and can carry a purchase up to a final approval. A connected app can let it send a message, update a record, or move a payment. A wrong or manipulated action inside a connected system is harder to catch and harder to undo than a leaked summary.

Data residency is the next question. Content from connected apps flows into the agent’s virtual computer and the model, and regulated teams have to answer where that data is processed and stored for each connection. OpenAI offers in-region data residency only for specific connectors and regions, so coverage is not uniform across every app.

Retention is the question after that. Conversations, including those that use an app, are available to Enterprise and Edu admins through the Compliance API (OpenAI, 2026). That captures the conversation. It does not, on its own, place a control in the path that decides in the moment whether a specific action on a specific connected system should run.

Missing action-level evidence breaks audit and compliance

A screen recording of an agent is not an audit trail. ChatGPT Agent narrates on screen as it works, and admins can review conversations after the fact. An examiner asks a sharper question: which tool call ran, on whose authority, against which connected system, touching what data, and was it allowed by policy. A conversation log and an on-screen narration do not answer that at the level of the individual action.

For regulated work, that gap is concrete. You can show that a policy existed and that a conversation happened, without showing that a control evaluated the specific action before it executed. That is the difference between asserting governance and proving it. Weak action-level evidence is also part of why agent programs stall. Gartner expects more than 40 percent of agentic AI projects to be canceled by the end of 2027, often from inadequate risk controls (Gartner, 2025).

How Aurascape governs ChatGPT Agent with connected apps

Aurascape governs ChatGPT Agent where the risk lives: at the AI interaction and the tool call, not the destination. It sits on both legs of every agent interaction. The AI Proxy secures the intelligence channel, inspecting prompts and responses in real time for injection and sensitive data. The Zero-Bypass MCP Gateway secures the tool-execution channel, verifying and controlling every tool call, API invocation, and data retrieval before it reaches a connected system (Aurascape, 2026). The gateway cryptographically signs approved tool calls, so unsigned calls cannot reach the tool or the model and unauthorized actions cannot run. If a client tries to reach a server outside the gateway, the request arrives unsigned and is blocked. Cross-call data lineage tracks data across chained actions, catching exfiltration that looks benign one call at a time.

Policy uses the full context of each interaction, not the destination alone. It accounts for identity, whether the session is a sanctioned enterprise tenant or a personal account, the application and the intention in use, the prompt and the response, and the data involved. On that context, Aurascape can allow, coach, warn, block, or redact. It discovers the AI apps and agents in use, including shadow MCP servers employees connect without IT oversight, so the connected-app catalog stays current. It keeps interaction records for audit and effectiveness, governed by role-based access control (RBAC) for privacy, so compliance teams get the action-level record the Compliance API alone does not provide.

The need is widely felt. Only 31 percent of organizations feel equipped to control and secure agentic AI systems, even as 83 percent plan to deploy AI agents (Cisco AI Readiness Index, 2025). The payoff is concrete. In one Aurascape deployment, a Fortune 100 insurance and financial enterprise tripled its AI agent integrations with no unauthorized data access while protecting more than 20,000 users, and it cut the time to adopt new AI tools by 60 percent (Aurascape, 2026). Security became the reason the business could adopt agents, not the reason it could not.

To govern ChatGPT Agent with connected apps, deploy in this order:

1. Discover the connected apps, MCP servers, and agents already in use, and risk-score each one.
2. Enforce the sanctioned enterprise tenant, so personal ChatGPT accounts do not carry regulated data.
3. Inspect the intelligence channel for prompt injection and sensitive data before the model acts on a connected app.
4. Govern every tool call through the gateway, signing approved calls and blocking unsigned ones.
5. Classify and control data inline, redacting or blocking when an action touches sensitive data.
6. Keep RBAC-governed interaction records, so the action-level evidence exists when an examiner asks.

Aurascape runs alongside the security service edge (SSE), cloud access security broker (CASB), and data loss prevention (DLP) tools you already have. No rip-and-replace. It closes the AI interaction and tool-call gap that destination-based controls were not built to inspect. The contrast is on the AI-era capabilities, not on the web and software-as-a-service traffic those tools handle well.

Related reading: what is prompt injection, AI data leakage, and AI usage control.

Frequently asked questions

Does ChatGPT Agent store data from my connected apps?

Conversations, including those that use a connected app, are available to Enterprise and Edu admins through OpenAI’s Compliance API, and connected-app content flows through the agent’s virtual computer and the model during a task. In-region data residency is offered only for specific connectors and regions, so where data is processed varies by app. The conversation record captures the chat, not a control that evaluated each action, which is the action-level evidence regulated teams need.

Can ChatGPT Agent be tricked into leaking data through prompt injection?

Yes, and OpenAI flags it as a primary risk for agentic systems. In an indirect prompt injection, hidden instructions in a web page, email, or document tell the agent to act against the user’s interest, for example by pulling data from a connected app and sending it out. The EchoLeak flaw (CVE-2025-32711) proved a connected assistant could exfiltrate data with zero user clicks, and OWASP ranks prompt injection as the top risk for AI applications. An inline control that inspects the interaction and signs tool calls is what limits the blast radius.

What audit logs does ChatGPT Agent provide for connected-app actions?

ChatGPT Agent narrates on screen as it works, and Enterprise and Edu admins can review conversations through the Compliance API. Those records show the conversation, not a correlated, policy-evaluated record of which tool call ran against which connected system and what data it touched. Aurascape adds that action-level evidence by inspecting every tool call and keeping interaction records under role-based access control.

How do I let employees use ChatGPT Agent without exposing connected apps?

Govern the interaction and the tool call rather than banning the tool. Build a current catalog of connected apps and agents, enforce the sanctioned enterprise tenant over personal accounts, inspect prompts and responses for injection and sensitive data, and route every tool call through a gateway that signs approved calls and blocks unsigned ones. Aurascape applies these controls inline and keeps the records auditors expect, so adoption and security move together.

Aurascape lets you turn on ChatGPT Agent and its connected apps without trading away control. It inspects the intelligence channel for injection and sensitive data, signs and governs every tool call through the Zero-Bypass MCP Gateway, and keeps the action-level records your auditors expect, so a sanctioned agent stays inside policy. Security becomes the reason you can adopt the agent, not the reason you cannot.

See how Aurascape governs ChatGPT Agent in the live path →