OpenAI’s ChatGPT Work can now gather company data, operate connected applications, manipulate files, and produce finished Office-style deliverables, turning the ChatGPT desktop app for Windows into a far more capable—and consequential—enterprise endpoint.
Launched July 9 alongside GPT-5.6, ChatGPT Work is available through OpenAI’s unified desktop app on Windows and macOS, with web and mobile access rolling out across eligible ChatGPT plans. As detailed in OpenAI’s announcement and subsequent reporting by TechRepublic, the agent can carry out multistep projects across files, websites, desktop software, email, calendars, messaging platforms, storage services, CRM systems, and project trackers.
For IT departments, this is not merely a better document generator. ChatGPT Work is an automation platform with access to employee identities, business data, write-capable tools, and potentially unattended scheduled tasks. Before enabling it broadly, administrators need to answer three questions: what can it reach, which actions require approval, and whether its activity is visible during an investigation.
ChatGPT Work uses GPT-5.6 with technology derived from Codex to break a goal into steps, collect context, and create documents, presentations, spreadsheets, analyses, dashboards, and web apps. The Windows desktop application also includes a built-in browser and can work with local files and desktop software.
OpenAI says more than 1,400 plugins are available, but the number of possible integrations is less important than the permissions granted to each one. A connection to Outlook or Google Workspace may begin as a convenient way to find meeting notes, yet write scopes can allow an agent to send email, modify calendar entries, upload files, or alter shared records.
The first security check is therefore an access and identity inventory. For every enabled app, plugin, custom Model Context Protocol integration, and local folder, administrators should document:
OpenAI’s documentation says Enterprise and Edu workspaces disable apps by default, while Business workspaces generally enable them by default. Enterprise and Edu administrators can also apply role-based controls and choose whether an app receives read-only access, a custom selection of actions, or all available actions.
That makes the safest rollout model relatively straightforward: begin with a small user group, read-only sources, dedicated test data, and one narrowly defined workflow. A request such as producing a weekly project summary from approved Jira projects is easier to govern than an open-ended instruction to “manage this account and keep the team updated.”
The default Important actions setting is designed to interrupt operations that may expose sensitive information, affect an external system, or be difficult to reverse. Examples in OpenAI’s documentation include sending messages, deleting content, changing appointments, moving cloud files, issuing refunds, modifying sharing permissions, and handling authentication information.
That classification is useful, but enterprises should not delegate their entire control policy to a runtime risk judgment. During an initial deployment, approval should be mandatory before ChatGPT Work:
Computer Use introduces another layer of uncertainty because it can click, type, browse, and move files through interfaces that were designed for humans rather than APIs. Traditional access controls may record the employee account as the actor without clearly distinguishing which operations were initiated by the employee and which were performed by ChatGPT.
Administrators should therefore test approval behavior rather than relying on settings labels. A pilot should include attempts to send a message, overwrite a shared file, transfer data to an unapproved destination, and follow an instruction embedded in an external document. The expected result needs to be verified for each app and action, not assumed from a workspace-wide toggle.
OpenAI’s Compliance API and Compliance Logs platform can expose conversations, connected app usage, shared data, and related metadata to enterprise security systems. That information can be integrated with SIEM, data-loss prevention, and e-discovery tooling, subject to the organization’s ChatGPT plan and configuration.
However, administrators should verify the granularity of those records. OpenAI’s documentation for ChatGPT agent capabilities has previously noted that conversations involving agent tasks may appear in compliance logs while individual virtual-computer operations, app requests, and internal reasoning are not necessarily recorded as separate events. OpenAI also says app calls are logged, but the coverage can differ by feature and execution path.
For Windows administrators, this means ChatGPT telemetry should be correlated with existing endpoint and cloud records rather than treated as a complete audit trail. Microsoft Defender for Endpoint, Windows event logs, Entra ID sign-in data, Microsoft Purview, application audit logs, proxy records, and file-system monitoring may hold evidence that the ChatGPT console does not.
A useful pilot test is to reconstruct one task from beginning to end. The security team should be able to determine who started it, which identity and integrations were used, what data was read, what external actions occurred, which approvals were presented, and what files or records changed.
If investigators cannot answer those questions, the workflow should not receive permission to modify production systems.
OpenAI describes prompt injection as a continuing security risk and offers mitigations including restricted network access, app controls, approval prompts, and Lockdown Mode. Lockdown Mode is intended to reduce the final stage of data exfiltration by limiting outbound network requests and, in some configurations, blocking live connector access and write operations. OpenAI cautions that it does not guarantee that exfiltration is impossible.
The OWASP Top 10 for Agentic Applications places agent goal hijacking, tool misuse, and identity or privilege abuse among the central risks for autonomous systems. Each becomes more serious when an agent can combine information from several applications and then act through a browser or desktop session.
NIST’s Generative AI Profile offers a broader structure for assigning risk owners, documenting safeguards, testing system behavior, and tracking residual risk. It does not replace Entra ID conditional access, endpoint controls, DLP, retention policies, or application-specific auditing, but it can help organizations apply those controls consistently to agent workflows.
ChatGPT Work’s productivity case is clear: it can turn scattered messages, files, and business records into completed deliverables without requiring an employee to manually transfer information between applications. The same reach makes a permissive deployment difficult to distinguish from giving a new automation account access to the desktop, browser, and company SaaS estate.
The prudent Windows rollout starts with least-privilege connections, mandatory approval for write actions, and tested end-to-end logging. Until those three controls are proven in the organization’s own environment, ChatGPT Work should remain a supervised pilot—not an unattended digital employee.
Launched July 9 alongside GPT-5.6, ChatGPT Work is available through OpenAI’s unified desktop app on Windows and macOS, with web and mobile access rolling out across eligible ChatGPT plans. As detailed in OpenAI’s announcement and subsequent reporting by TechRepublic, the agent can carry out multistep projects across files, websites, desktop software, email, calendars, messaging platforms, storage services, CRM systems, and project trackers.
For IT departments, this is not merely a better document generator. ChatGPT Work is an automation platform with access to employee identities, business data, write-capable tools, and potentially unattended scheduled tasks. Before enabling it broadly, administrators need to answer three questions: what can it reach, which actions require approval, and whether its activity is visible during an investigation.
Inventory Every Identity and Connected App
ChatGPT Work uses GPT-5.6 with technology derived from Codex to break a goal into steps, collect context, and create documents, presentations, spreadsheets, analyses, dashboards, and web apps. The Windows desktop application also includes a built-in browser and can work with local files and desktop software.OpenAI says more than 1,400 plugins are available, but the number of possible integrations is less important than the permissions granted to each one. A connection to Outlook or Google Workspace may begin as a convenient way to find meeting notes, yet write scopes can allow an agent to send email, modify calendar entries, upload files, or alter shared records.
The first security check is therefore an access and identity inventory. For every enabled app, plugin, custom Model Context Protocol integration, and local folder, administrators should document:
- The connection uses an individual employee’s delegated identity, a service identity, or a shared account.
- The granted OAuth scopes match a defined business workflow rather than every capability offered by the integration.
- Access is restricted through role-based access control to the users who need the workflow.
- Local file access excludes credential stores, source-code secrets, browser profiles, exports, and unrelated business records.
- New actions added by an app vendor will remain disabled until an administrator reviews them.
OpenAI’s documentation says Enterprise and Edu workspaces disable apps by default, while Business workspaces generally enable them by default. Enterprise and Edu administrators can also apply role-based controls and choose whether an app receives read-only access, a custom selection of actions, or all available actions.
That makes the safest rollout model relatively straightforward: begin with a small user group, read-only sources, dedicated test data, and one narrowly defined workflow. A request such as producing a weekly project summary from approved Jira projects is easier to govern than an open-ended instruction to “manage this account and keep the team updated.”
Put Approval Gates in Front of Consequential Actions
OpenAI provides several approval levels for connected app activity. Depending on the account and integration, ChatGPT can be configured to ask before every operation, before any change, only before actions it considers important, or—in higher-risk configurations—not to ask at all.The default Important actions setting is designed to interrupt operations that may expose sensitive information, affect an external system, or be difficult to reverse. Examples in OpenAI’s documentation include sending messages, deleting content, changing appointments, moving cloud files, issuing refunds, modifying sharing permissions, and handling authentication information.
That classification is useful, but enterprises should not delegate their entire control policy to a runtime risk judgment. During an initial deployment, approval should be mandatory before ChatGPT Work:
- Sends or edits email, chat messages, comments, invitations, or public posts.
- Creates, moves, overwrites, deletes, or changes the sharing permissions of files.
- Changes calendars, CRM entries, tickets, customer records, or project status.
- Uploads company information to another service or newly encountered website.
- Executes purchases, refunds, subscription changes, or other financial operations.
- Runs commands, installs software, changes configuration, or accesses secrets on a Windows device.
Computer Use introduces another layer of uncertainty because it can click, type, browse, and move files through interfaces that were designed for humans rather than APIs. Traditional access controls may record the employee account as the actor without clearly distinguishing which operations were initiated by the employee and which were performed by ChatGPT.
Administrators should therefore test approval behavior rather than relying on settings labels. A pilot should include attempts to send a message, overwrite a shared file, transfer data to an unapproved destination, and follow an instruction embedded in an external document. The expected result needs to be verified for each app and action, not assumed from a workspace-wide toggle.
Audit Coverage Has Gaps IT Must Measure
The third check is whether ChatGPT Work produces enough telemetry for detection, retention, e-discovery, and incident response.OpenAI’s Compliance API and Compliance Logs platform can expose conversations, connected app usage, shared data, and related metadata to enterprise security systems. That information can be integrated with SIEM, data-loss prevention, and e-discovery tooling, subject to the organization’s ChatGPT plan and configuration.
However, administrators should verify the granularity of those records. OpenAI’s documentation for ChatGPT agent capabilities has previously noted that conversations involving agent tasks may appear in compliance logs while individual virtual-computer operations, app requests, and internal reasoning are not necessarily recorded as separate events. OpenAI also says app calls are logged, but the coverage can differ by feature and execution path.
For Windows administrators, this means ChatGPT telemetry should be correlated with existing endpoint and cloud records rather than treated as a complete audit trail. Microsoft Defender for Endpoint, Windows event logs, Entra ID sign-in data, Microsoft Purview, application audit logs, proxy records, and file-system monitoring may hold evidence that the ChatGPT console does not.
A useful pilot test is to reconstruct one task from beginning to end. The security team should be able to determine who started it, which identity and integrations were used, what data was read, what external actions occurred, which approvals were presented, and what files or records changed.
If investigators cannot answer those questions, the workflow should not receive permission to modify production systems.
Prompt Injection Moves From Bad Output to Bad Actions
The underlying agent-security problem is that ChatGPT Work may process untrusted instructions while holding trusted access. A malicious command hidden in an email, document, support ticket, website, or calendar entry could try to redirect the agent from the employee’s original objective.OpenAI describes prompt injection as a continuing security risk and offers mitigations including restricted network access, app controls, approval prompts, and Lockdown Mode. Lockdown Mode is intended to reduce the final stage of data exfiltration by limiting outbound network requests and, in some configurations, blocking live connector access and write operations. OpenAI cautions that it does not guarantee that exfiltration is impossible.
The OWASP Top 10 for Agentic Applications places agent goal hijacking, tool misuse, and identity or privilege abuse among the central risks for autonomous systems. Each becomes more serious when an agent can combine information from several applications and then act through a browser or desktop session.
NIST’s Generative AI Profile offers a broader structure for assigning risk owners, documenting safeguards, testing system behavior, and tracking residual risk. It does not replace Entra ID conditional access, endpoint controls, DLP, retention policies, or application-specific auditing, but it can help organizations apply those controls consistently to agent workflows.
ChatGPT Work’s productivity case is clear: it can turn scattered messages, files, and business records into completed deliverables without requiring an employee to manually transfer information between applications. The same reach makes a permissive deployment difficult to distinguish from giving a new automation account access to the desktop, browser, and company SaaS estate.
The prudent Windows rollout starts with least-privilege connections, mandatory approval for write actions, and tested end-to-end logging. Until those three controls are proven in the organization’s own environment, ChatGPT Work should remain a supervised pilot—not an unattended digital employee.
References
- Primary source: TechRepublic
Published: 2026-07-14T13:07:27+00:00
OpenAI Brings ChatGPT Work to Office Tasks: 3 Security Checks for IT Teams - TechRepublic
OpenAI’s ChatGPT Work brings AI agents into everyday office workflows. Here are the access, approval, and logging controls IT teams should check first.www.techrepublic.com
- Official source: openai.com
ChatGPT Work with GPT-5.6 | OpenAI
ChatGPT Work, powered by GPT-5.6, helps teams take on ambitious work and turn goals into finished outputs. Connect tools, automate tasks, and keep projects moving.openai.com - Official source: help.openai.com
Using Codex with your ChatGPT plan | OpenAI Help Center
How to access and get started with Codex
help.openai.com
- Official source: edunewsletter.openai.com
Introducing ChatGPT Work. A More Capable ChatGPT for Education
Introducing ChatGPT Work, a new way for faculty and staff to carry out longer, multi-step work across approved files, connected apps, and the web.edunewsletter.openai.com - Official source: academy.openai.com
ChatGPT Work: Champion Rollout Guide - Resource | OpenAI Academy
Unlock the new opportunities of the AI era by equipping yourself with the knowledge and skills to harness artificial intelligence effectively.
academy.openai.com
- Official source: cdn.openai.com