Audience: IT, Security, and Operations administrators.Goal: Launch a secure and governed ChatGPT Enterprise workspace that scales without creating policy debt.
Security baseline — quick view
- Verify domains → enable SSO → optionally enable automatic account creation → connect SCIM.
- Keep RBAC simple with 3–4 groups mapped to lightweight custom roles.
- Default sharing to invite-only or workspace-only; allowlist Actions domains before enabling.
- Leave connectors off by default and grant per role or group.
- Finalize retention, residency, and IP allowlists before pilots sign in.
- Automate Compliance API exports to your eDiscovery or SIEM tooling.
Secure workspace access
Verify domains, enforce SSO, connect SCIM, and nail baseline policies before launch.
Configure AI policy reminders
Set up recurring policy modals to keep organizational AI guidelines visible to users.
Design roles & guardrails
Keep permissions predictable with simple groups and lightweight custom roles.
Govern GPT publishing
Default to safe sharing, allowlist Actions domains, and gate connectors tightly.
Automate compliance & discovery
Export audit data, integrate Purview, and keep regulated content discoverable.
Launch & onboard teams
Enforce endpoint protections, prep admins, and guide employees through rollout.
Secure workspace access
Confirm identity, provisioning, and baseline workspace policies before inviting a broad audience.Verify corporate domains
Go to Manage workspace → Identity & provisioning, add TXT records, and verify each domain. This is required for SSO, automatic account creation, and SCIM.
Enable SAML SSO
Configure SSO with your IdP (Okta, Entra ID, Ping, etc.). If you use both ChatGPT Enterprise and the API platform, enable SSO on both.
(Optional) Automatic account creation
Allow anyone with a verified domain to join after authenticating via SSO. Helpful for phased, self-serve rollouts.
Provision with SCIM
Sync users and groups from your IdP. Start with pilot groups, confirm mappings, then expand.
Harden workspace policies
Set IP allowlists, retention windows, and data residency. Enterprise data is excluded from model training by default—confirm it aligns to policy.
Quick start checklist
- Add TXT records and verify all corporate domains.
- Turn on SAML SSO and test with a 3–5 person pilot group.
- Decide whether automatic account creation is in scope for phase one.
- Connect SCIM and sync pilot groups first.
- Lock IP allowlists, retention, and data residency before rollout.
- Configure the AI policy modal to remind users of organizational policies.
Configure AI policy reminders
Keep your organization’s AI policies visible with the Enterprise AI Policy Modal.Enterprise AI Policy Modal
From Workspace Settings → General, admins and owners can customize a modal that reminds users of your organization’s AI policies. In the Workspace Policy section, you can define specifics of your organization’s AI policy.The policy modal is displayed to users every 30 days, or when updated.
Navigate to workspace settings
Click your profile icon and select Workspace settings, then go to the General tab.
Define your AI policy
In the Workspace Policy section, enter your organization’s AI policy text. Include key guidelines, acceptable use rules, and data handling requirements.
Policy modal best practices
- Keep the policy concise and actionable—users should understand key rules at a glance.
- Reference your full Acceptable Use Policy for detailed guidance.
- Update the modal when policies change to trigger an immediate reminder to all users.
- Coordinate with your legal and compliance teams to ensure the policy text aligns with organizational standards.
Design roles and guardrails
Keep permissions predictable without slowing pilots.Roles
Create lightweight custom roles that expose only what teams need (GPT authoring, connectors, browsing, agents, Records). Prefer group inheritance over one-off user grants.
Groups
Map groups to how you deploy: default users, builders who create GPTs, technical teams with connectors, and higher-sensitivity functions (finance, legal).
| Group | Role(s) assigned | Connectors enabled |
|---|---|---|
| All employees | Default employee | none |
| Builders | Builder | none (sandbox only) |
| Engineering & data | Default + connector user | GitHub, Drive, SharePoint (allowlisted) |
| Finance & HR | Default (no connectors) | none |
| Legal & compliance | Default | internal tooling only |
| Frontline & field | Default (reduced) | none |
| Contractors | Default (reduced) | none |
Connectors are off by default on enterprise plans. Turn on only the ones you need and scope use by role or group.
RBAC quick checks
- Create high-level groups and assign pilot members.
- Build custom roles with only the required toggles.
- Assign roles to groups (not individuals) and test with a sample user.
- Keep sensitive connectors fenced to specific groups.
- Schedule a quarterly RBAC and connector review.
Govern GPT publishing
Default to safe sharing, then widen scope as governance and review processes mature.- Actions domains
- Connectors
Default to invite-only or workspace-only sharing. Hold off on external GPTs until guardrails and review processes are in place.
Recommended publish flow
Publishing guardrails
- Set default sharing to invite-only or workspace-only.
- Create and maintain an Actions domain allowlist.
- Gate each connector behind a business case plus RBAC scope.
- Require review for GPTs that touch regulated or customer data.
- Schedule a 90-day lifecycle review to archive unused GPTs.
Automate compliance and discovery
Turn on audit-grade logging, plan discovery workflows, and keep regulated content traceable.Compliance API exports
Export conversation metadata, GPT events, and Records for eDiscovery, DLP, or SIEM. Compliance endpoints respect IP allowlists—configure IP restrictions before issuing API keys. Use User Analytics for adoption trends and reserve the Compliance API for audit logging.Compliance API setup
- Issue a Compliance API key to your security or legal owner.
- Apply IP allowlists to the compliance endpoints.
- Automate daily exports to your SIEM or data lake.
Integrate Microsoft Purview
Pick your ingestion route
Choose mailbox archiving via partner connectors or direct import to eDiscovery (Premium) review sets based on retention and legal needs.
Configure ingestion
In Purview, set up the connector or import job, then map custodians to the correct mailboxes or review sets.
Launch and onboard teams
Deliver a great first-run experience while enforcing endpoint controls and change management.Enforce endpoint DLP for browsers
Deploy the Purview extension for Chrome on Windows. macOS enforcement does not require the extension. Roll out only after devices are onboarded to Endpoint DLP so policies take effect immediately.Admin playbook
Pilot with admins, security, and builders before broad access. Track adoption in User Analytics (export CSVs for deeper reviews) and share guardrails plus department-specific starter prompts ahead of go-live.Individual setup
Sign in with SSO
Sign in with SSO
Always use corporate SSO on web, desktop, and mobile. Bookmark the enterprise login URL so users avoid personal accounts.
Set Custom Instructions
Set Custom Instructions
Encourage role, tone, and compliance reminders in Custom Instructions. Avoid confidential data and review periodically.
Join the right groups
Join the right groups
Confirm each user is in the correct groups—permissions and GPT access inherit from group membership.
Use internal GPTs first
Use internal GPTs first
Promote GPTs your builders publish for internal use. Allow public GPTs only after controls are in place.
Handle files and data carefully
Handle files and data carefully
Reinforce data-classification rules. If a connector or dataset isn’t available to a group, the data shouldn’t be pasted manually.
Rollout quick checks
- Pilot with builders and security, and publish a small internal GPT library.
- Share “Start here” guidance plus role-specific prompt packs.
- Monitor weekly adoption and coach low-usage teams.
- Review RBAC, connectors, and GPT inventory quarterly.
Appendix
Roles and capabilities
Roles and capabilities
Roles (Owner, Admin, Member) and their default capabilities.
RBAC design
RBAC design
RBAC design (custom roles → groups → users inherit).
Group-level sharing
Group-level sharing
Group-level sharing for GPTs and Projects.
Identity & provisioning
Identity & provisioning
Identity & provisioning (SSO, automatic account creation, SCIM).
Connector administration
Connector administration
Connector administration (off by default; enable per connector and group).
Compliance API logging
Compliance API logging
Compliance API logging for eDiscovery, DLP, SIEM ingestion.
User Analytics dashboards
User Analytics dashboards
User Analytics dashboards for adoption tracking.
Data retention & residency
Data retention & residency
Data retention, data residency, and training exclusions.
IP allowlisting
IP allowlisting
Workspace and Compliance API IP allowlisting.
Microsoft Purview controls
Microsoft Purview controls
Microsoft Purview controls (connectors/import, eDiscovery (Premium), Content Search, Chrome DLP extension).
Self-check: First-time admin test
Can a new admin follow this in 5 minutes?
- I can see the five focus areas above the fold and know where to start.
- Each section begins with Steps/Tabs and ends with a quick checklist I can tick through.
- I know the safe defaults (SSO on, connectors off, invite-only sharing, domain allowlist for Actions).
- I have a clear path to auditability (Compliance API + Purview) and a 90-day review loop.