Foundation modelGeneral sectorLast reviewed: May 12, 2026

OpenAI ChatGPT & API

Item: OpenAI ChatGPT & API
Rating: 53
Author: EFROS

OpenAI, L.L.C. · EFROS US AI Vendor Governance Index entry

By Stefan Efros, CEO & Founder, EFROSReviewed by Daniel Agrici, Chief Security Officer, EFROS

Reviewed by CSO · May 13, 2026

Composite governance score

53/ 100D

D = thin posture. Deploy only for low-risk, non-regulated workloads under strict scope.

Axes scored: 8 / 11

Trust-center maturity: 4 / 5

Sector weighting: General sector

About this vendor

GPT-class foundation models delivered via ChatGPT consumer/enterprise tiers and a developer API. The most-deployed generative AI vendor in US enterprise.

Enterprise tier: ChatGPT Enterprise, ChatGPT Team, ChatGPT Edu, OpenAI API (paid)
Consumer tier: ChatGPT Free, ChatGPT Plus
Vendor homepage: https://openai.com
Trust center: https://trust.openai.com

Twelve-axis governance scoring

Each axis is scored Yes / Partial / No / N/A against public evidence — vendor trust portals, BAAs/DPAs, SOC 2 report cover pages, published methodology documents. N/A applies when the axis is structurally inapplicable (foundation models, for example, defer Section 1557 to the downstream healthcare deployer).

Axis	Status	EFROS note	Source
BAA / DPA available	Partial	BAA available for ChatGPT Enterprise and OpenAI API on opt-in. ChatGPT Free, Plus, and Team have no BAA — never use for PHI.	OpenAI Enterprise Privacy
Training-data opt-out	Partial	Enterprise/Team/API default to no-train on customer data. ChatGPT Plus and Free require manual opt-out via settings (data still used for safety/abuse monitoring).	OpenAI Data Controls FAQ
US data residency option	Partial	Data Residency in the US available for ChatGPT Enterprise/Edu and API. Not default — must be configured.	OpenAI Data Residency announcement
SOC 2 Type II report	Yes	SOC 2 Type II report available through OpenAI Trust Portal under NDA. ISO 27001:2022, 27017, 27018 also held.	OpenAI Trust Portal
ISO/IEC 42001 attestation	No	No ISO/IEC 42001 attestation as of May 2026. OpenAI publishes a Preparedness Framework and Model Spec but no third-party AI MS audit.	OpenAI Trust Portal certificate index
NIST AI RMF self-attestation	Partial	Public alignment via OpenAI's Preparedness Framework and Model Spec. No formal NIST AI RMF self-attestation document.	OpenAI Preparedness Framework
Colorado AI Act readiness	No	No public Colorado AI Act SB 24-205 compliance statement. Downstream deployers using OpenAI in high-risk decisions carry the compliance burden.	Public posture review
HHS-OCR Section 1557 readiness	N/A	Foundation model — downstream healthcare deployer owns Section 1557 algorithmic non-discrimination obligation.	HHS-OCR Section 1557 Final Rule (May 2024) — deployer scope
FRB SR 11-7 readiness	N/A	Foundation model — downstream financial institution owns SR 11-7 validation responsibility.	FRB SR 11-7 — deployer scope
ABA Formal Op 512 readiness	N/A	Foundation model — downstream law firm owns ABA Formal Opinion 512 obligation.	ABA Formal Op 512 — practitioner scope
Subprocessor list public	Yes	Subprocessor list public (Microsoft Azure hosting, Stripe billing, Snowflake analytics, etc.).	OpenAI Enterprise Privacy — Subprocessors

Trust-center maturity

4/ 5

Active trust portal at trust.openai.com — audit reports under NDA, security whitepaper, public policy documents. Falls short of a 5 because no public ISO 42001 or Colorado AI Act statement yet.

Source: OpenAI Trust Portal

Deep dive

Overview

OpenAI is the highest-volume US AI vendor in regulated buyer pipelines. The governance posture is strong on the enterprise tier (BAA, no-train default, US data residency, SOC 2 + ISO 27k stack) and weak on consumer (no BAA, manual opt-out, no residency control). The single biggest deployment risk we see is staff using consumer ChatGPT for work where Enterprise was assumed.

Strengths

BAA available for ChatGPT Enterprise + API
Default no-train on customer data at Enterprise/Team/API tiers
Mature trust portal with under-NDA audit reports
US data residency option for enterprise customers

Weaknesses

No BAA on Plus/Team/Free — common shadow-AI source
No ISO/IEC 42001 attestation as of May 2026
No public Colorado AI Act compliance statement
Sector-specific readiness (Section 1557, SR 11-7, ABA Op 512) is deployer responsibility — no vendor-side support

Best-fit use case

Regulated organizations that have already standardized on ChatGPT Enterprise with the BAA in place, training opt-out enforced, and Data Residency in the US enabled — and have eliminated shadow consumer-tier use through DLP + identity policy.

Avoid when

PHI workflows on ChatGPT Plus, Team, or Free; clinical decision support without a separately validated Section 1557 layer; bank credit decisioning without an SR 11-7 wrapper on top.

Operator's take

Deploy OpenAI ChatGPT & API when regulated organizations that have already standardized on ChatGPT Enterprise with the BAA in place, training opt-out enforced, and Data Residency in the US enabled — and have eliminated shadow consumer-tier use through DLP + identity policy. The composite score of 53 (grade D) reflects a mixed posture for regulated US workloads. Skip the vendor when pHI workflows on ChatGPT Plus, Team, or Free; clinical decision support without a separately validated Section 1557 layer; bank credit decisioning without an SR 11-7 wrapper on top. In every deployment, treat the cells above as a snapshot — the acquisition that gets to production safely is the one that re-verifies the trust-center posture before contract signature and rebuilds the matrix at renewal.

How this scoring is computed

The composite score blends eleven scoreable axes (BAA, training opt-out, US data residency, SOC 2, ISO/IEC 42001, NIST AI RMF, Colorado AI Act, Section 1557, SR 11-7, ABA Op 512, subprocessor transparency) with the trust-center maturity score. Axes marked N/A are excluded from the denominator so vendors are not penalized for sector-inapplicable axes. The vendor's primary sector amplifies the most relevant axes — healthcare vendors weight Section 1557 ×2, legal vendors weight ABA Op 512 ×2, banking vendors weight SR 11-7 ×2 — so the composite reflects what matters in the actual buying context.

Read the full methodology →

Disagree with this scoring?

EFROS publishes scoring rationale per cell with a public source. If you have evidence that a specific axis should score differently — a new BAA, a new certification, a documented policy change — submit a formal challenge below. We re-score and publish the result with the next quarterly edition (or as a mid-quarter changelog entry if the change is material).

Disagree with a score?

Every cell in the EFROS Index is source-cited. If you have a public source that contradicts a score for OpenAI ChatGPT & API, submit a formal challenge — we re-verify against the source and respond within 14 days.

Other vendors in Foundation model

Same category, scored on the same twelve axes. Useful for head-to-head shortlisting.

C58 / 100

Anthropic Claude

Anthropic, PBC

View posture →

C58 / 100

Google Gemini for Workspace

Google LLC

View posture →

F25 / 100

Meta Llama

Meta Platforms, Inc.

View posture →

F19 / 100

Perplexity AI

Perplexity AI, Inc.

View posture →

Disclaimer. Scoring as of 2026-05-13. Posture changes frequently — re-verify with the vendor's trust center before contract. This page is informational; it is not legal advice. EFROS clients get a refreshed posture review as part of the AI Governance Audit.

Take the scoring into production

The Index tells you the posture. These engagements turn the posture into a deployable program — vendor selection, governance policy, sector overlay, audit-ready evidence.

Reserve $5K AI Governance Audit Run AI Risk Score →See full Index →