Compliant Use Of ChatGPT

Written By Murray Clarke

The Risk Everyone Knows

Most recruiters are still using ChatGPT in a browser tab. That feels harmless — until you look at the controls hidden inside the settings menu.

Everyone’s aware of the first risk: training. Upload a CV, a client org chart, or internal notes, and in theory that data might be used to train the model. Thankfully, there’s a toggle for that: Improve the model for everyone. Switch it off and you’re covered.

But that’s not the button that should keep CISOs awake.

The Risk Nobody Talks About

Sitting just below it is Export Data.

Think about what that means in practice:

  • A recruiter uploads 500 CVs to ChatGPT to generate summaries.

  • A consultant drops in client contracts for quick review.

  • A financial analyst pastes internal models.

All of that data now lives in the workspace. And with a single click, the entire dataset can be exported in JSON or another machine-readable format.

This isn’t just about whether vendors encrypt data in transit, or whether they use your inputs for training. It’s about insider export controls. Who in your team can move data out? Can you restrict it? Can you monitor it?

When asked directly, ChatGPT’s own response was blunt:

“On the Enterprise Edition (Team and Enterprise plans), there’s currently no admin toggle to disable the ‘Export Data’ feature for users.”

That gap should worry every CISO.

Why Recruiters Should Care

In recruitment, the exposure is obvious: CVs, candidate histories, salary data. These aren’t just files — they’re the personal details people trust us to protect.

Swap “CV” for financials in banking, research data in pharma, or IP in tech. The risk is the same.

Recruiters are custodians of trust. Clients share strategic hiring plans, candidates share personal career details, and we sit in the middle. Mishandle that information, and trust is gone.

AI can make recruiters faster, but without guardrails it also makes leaks easier.

How to Preempt Compliance Breaches

You don’t need invasive watchdog software or draconian monitoring to keep control. Smarter options exist:

  • Trust Policies First – set clear rules on how AI can be used. If CVs go in, they don’t come out untracked.

  • Role-Based Access – not everyone needs export rights. Restrict the ability to pull data in bulk to admins only.

  • API, Not Tabs – where possible, use API-based integrations that control where data lives, rather than browser sessions with uncontrolled exports.

  • Transparency & Training – ensure your team knows the risks, and that compliance is everyone’s job.

These are simple, preemptive steps that reduce risk without creating a surveillance culture.

The Way Forward

AI adoption is inevitable. But adoption without compliance is a liability.

Recruiters — and frankly, anyone handling sensitive data — need to take export risks seriously. Don’t treat ChatGPT like a toy in a tab.

At TalentHub, we only use the API, on our own data, with no training. That gives us control over where information lives, and removes the risk of uncontrolled exports.

The compliance industry will do well out of this gap. Until platforms offer stronger admin tools, leaders should use trust-based policies, restricted access, and API-driven solutions to stay safe.

The recruiters — and companies — that get this right will be the ones still standing in five years.

Murray Clarke
Next

In executive search, it’s about the Why, not the What.