AI & Privacy

ChatGPT Work Reaches Into Your Files. What It Keeps

Aditya Kumar JhaAditya Kumar JhaLinkedIn·July 11, 2026·11 min read

ChatGPT Work can reach into Slack, Drive, email and your files. Here is what it sees, what it keeps, and who can read it.

You connect ChatGPT Work to your Google Drive to build one report. It keeps a standing line into every file, folder and shared doc in that account. That is the real story of OpenAI's July 9, 2026 launch: the exposure is not a single chat, it is an agent with continuous reach across your Slack, email, calendar and drive at once.

What ChatGPT Work actually is

ChatGPT Work is an agent, not a chatbot. OpenAI launched it on Thursday, July 9, 2026, powered by GPT-5.6, and pitched it around long assignments instead of one-off prompts. It can take a goal, pull context from your connected apps and files, and stay on a project for hours to produce finished work: documents, spreadsheets, presentations, reports and even live websites.

GPT-5.6 ships in three variants: Sol, the most powerful; Terra, the balanced everyday option; and Luna, the fastest. A feature called Sites launched alongside it in public beta, turning a project into an interactive site or web app such as a dashboard or project tracker. The point of all of it is autonomy: the agent keeps working while you are away, then hands back a completed artifact.

Insight

A chatbot answers a question. An agent reaches into your accounts, acts, and holds context across the whole chain of steps. That difference is the entire privacy conversation.

The framing matters because it changes how you should evaluate the tool. When ChatGPT was a text box, the worst case was the model seeing the paragraph you pasted. When it is an agent that authenticates into your Drive and mailbox, the worst case is everything reachable through those grants. OpenAI's own positioning leans into this: the pitch is longer assignments, not one-off prompts, which by design means the agent needs durable access rather than a single hand-off.

The connected-apps directory is the real surface

ChatGPT Work runs on a unified directory of connected apps. Out of the gate it links Slack and Microsoft Teams, Google Drive and SharePoint, email, calendars, CRMs and project-management tools. You can point the agent at any of them inside a prompt by typing an @ and the app name, so one instruction can touch messages, files and events across several systems at once.

Here is the shift most coverage glossed over. A single ChatGPT conversation sees only what you paste into it. A connected agent authenticates once, then holds a durable grant to whatever that OAuth scope allows: not the one file you cared about, but the whole Drive, the whole mailbox, the whole Slack workspace it can read. The reach is standing, not per-question. You are no longer sharing a file. You are handing over the key to the room the file lives in.

What it gathers, and what it keeps

To finish a task, ChatGPT Work gathers context from apps, files and workflows, and it holds that context across the whole chain so nothing has to be re-explained at each step. That persistence is what makes the agent useful. It is also what makes the memory question sharp: the more of your accounts you connect, the more of your working life becomes retrievable context for a system that is not sitting on your own hardware.

On the retention side, OpenAI gives Business, Enterprise and Edu customers ownership and control of their business data and does not use information accessed from apps to train models. Enterprise memory can store organization-specific facts and preferences, and admins can moderate what gets written or disable memory entirely. So the raw exposure is governed. It is governed by settings someone in your org configures, not by architecture that keeps the data unreadable in the first place.

Pro Tip

Before you connect an app, check the OAuth scope, not the task. Read-only to a single shared folder is a different exposure than full-drive read-write, even if today you only need one file.

There is a second, quieter form of memory to watch: the artifacts. When the agent builds a report by reading twelve source files, the finished document can carry facts, figures and phrasing lifted from all twelve, some of which you never meant to combine in one place. A spreadsheet stitched from HR exports and finance sheets is a new data object with its own audience. The agent leaked nothing. It concentrated information that used to sit scattered and safe, and concentration is its own risk.

Who can see it in an Enterprise or admin setting

In a managed workspace, the answer to who sees your agent activity is: your administrators can. Enterprise and Edu admins control which apps are enabled, on a per-app and for some apps per-action basis, and they can require approval before sensitive actions run. That is good governance. It also means the connected agent is a shared surface, not a private one.

Visibility is real but bounded. OpenAI's Compliance Logs Platform surfaces user prompts and agent responses to the organization, though it does not track files, actions or tool calls, and the platform retains those logs for 30 days unless the org exports them elsewhere for longer. Translation: your prompts and the agent's replies can be reviewed by your employer, retention of the rest depends on your workspace plan and admin settings.

The 30-day window, in plain terms

Be concrete about what admins actually get. The Compliance Logs Platform records the user prompts and the agent's responses, and it keeps them for 30 days before deletion unless the organization exports them into its own systems for longer. It does not, per OpenAI's documentation, track the files touched, the actions taken, or the individual tool calls. So the review layer is real but partial: an employer can read the conversation, yet the fuller trail of what the agent did across your apps never lands in that log. Whether that gap reassures you or worries you depends on which side of it you sit.

DimensionA single ChatGPT chatA connected work agent
What it can seeOnly what you paste inWhatever the OAuth scope allows across the app
Access durationOne conversationStanding, until you revoke it
Apps in playNone by defaultSlack, Teams, Drive, SharePoint, email, calendars, CRM
Who else can viewYouWorkspace admins via compliance logs
Context retainedThat threadHeld across the whole task chain, plus memory
  • Scope of access: a chat sees a snippet, a connected agent sees whatever the token grants across the app.
  • Duration: a chat ends, a connection persists until someone revokes it.
  • Audience: your prompts and the agent's replies can surface in admin compliance logs.
  • Retention: how long anything is kept depends on your workspace plan and admin settings, not on you.
  • Concentration: the agent's output can merge data from many sources into one exportable file.

The trade-off you are actually accepting

Here is what most takes on this launch get wrong: they worry about the model. The model is not the exposure. The connective tissue is. GPT-5.6 could be flawless and the risk would still be there, because the risk lives in the standing grants you hand to an agent that spans every app you use. One compromised token, one over-broad scope, one misconfigured admin policy, and the thing that made the agent useful becomes the thing that leaks.

This is not a reason to avoid agents. It is a reason to be deliberate about where your durable context lives. A team in Bengaluru, London or Singapore weighing ChatGPT Work should map it plainly: connecting Drive to build one deck is not the same as giving a hosted agent a permanent read on the whole account, visible to admins and retained by workspace policy. Convenience and standing access are the two sides of the same grant.

How to grant access without over-granting

You do not have to choose between using the agent and protecting your data. The middle path is disciplined scoping. Connect the narrowest app permission that finishes the job, prefer read-only where the task only reads, and treat every connection as temporary until proven otherwise. Where your admin console supports per-action controls and approval prompts before sensitive steps, turn them on, because a standing grant with an approval gate is safer than a standing grant without one.

  • Connect one app for one project, not your whole stack by default.
  • Choose read-only scopes whenever the agent only needs to read.
  • Turn on per-action approval for anything that sends, shares or deletes.
  • Revoke the connection when the task is finished, then reconnect next time.
  • Keep the documents you return to for years in a store with a narrow, known access model.

A memory layer you own, not a standing reach into everything

This is the exact gap MemX is built for. Instead of granting a work agent a permanent line into every app, you put the documents, PDFs, screenshots, voice notes and exports you actually care about into a private memory layer that is yours, then ask questions in natural language and get answers across all of it. MemX is private by architecture, with per-user isolation, customer-managed encryption keys, encryption at rest and on-device options, so your recall does not depend on how someone configured an admin panel. The context you keep is scoped to what you chose to save, not to whatever an OAuth token happened to allow.

The two approaches can coexist. Let an agent run the multi-step task when the payoff is real, and revoke the connection when it is done. Keep the durable memory, the receipts, the contracts, the research you return to for years, in a layer where the access model is narrow and known rather than broad and standing. The question is not whether agents are useful. It is which of your accounts should be permanently readable to finish this week's deck.

Frequently Asked Questions
01What is ChatGPT Work?

It is an OpenAI agent, launched July 9, 2026 and powered by GPT-5.6, that pulls context from your connected apps and files to complete long, multi-step tasks. It can produce documents, spreadsheets, presentations, reports and websites, and keep working while you are away.

02What apps can ChatGPT Work connect to?

A unified directory connects Slack, Microsoft Teams, Google Drive, SharePoint, email, calendars, CRMs and project-management tools. You can reference a connected app directly in a prompt by typing @ and the app name.

03What does ChatGPT Work remember?

It gathers context from apps, files and workflows and holds it across the whole task so nothing has to be re-explained. Enterprise memory can also store org-specific facts, though admins can moderate or disable it.

04Can my employer see my ChatGPT Work activity?

In a managed workspace, yes to a point. OpenAI's compliance logs surface user prompts and agent responses to the organization, retained for 30 days, though they do not track files, actions or tool calls.

05Who is getting ChatGPT Work first?

It rolled out on web and mobile starting with Pro, Enterprise and Edu users on July 9, 2026, expanding to Plus and Business users over the following days.

ChatGPT Work is a genuine step in what agents can do, and for many teams the productivity will be worth the setup. Just name the trade honestly before you click connect: you are not sharing a file, you are handing an agent a standing reach into the account behind it. Decide which context you want a hosted agent to hold, and which you would rather keep in a memory layer you control.

Read Next

Or try MemX to access 40+ AI models in one place — including Claude Sonnet 4.6 and GPT-5.4 — and get your questions answered today.

Was this article helpful?

Found this useful? Share it with someone who needs it.

Free · iOS, Android & WhatsApp

Stop losing what you save.
Let MemX remember it for you.

Every screenshot, photo, PDF and voice note — captured, encrypted, and instantly searchable. Ask in plain English, get the answer in seconds.

  • Reads text inside images and handwriting
  • Private and encrypted by default
  • Free to start, no credit card

Takes under a minute to set up. Your data stays yours.

Aditya Kumar Jha
Written by
Aditya Kumar JhaLinkedIn

Core software engineer at MemX, where he builds the website, backend, and data systems. Also a published author of six books on Amazon KDP, writing on AI, memory, and behavior.

Keep reading

More guides for AI-powered students.