AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

OpenAI

GPT-4o

v4o · frontier · Released May 13, 2024

Cleared

Updated June 27, 2026

No active compliance flags. Generally available via API and ChatGPT.

Enterprise guidance

GPT-4o is broadly available and the recommended default for organizations that need a commercially cleared frontier model. For regulated industries, use ChatGPT Enterprise or Azure OpenAI Service — both offer zero data retention, configurable data residency, and HIPAA Business Associate Agreements. The standard API retains inputs and outputs for 30 days by default; disable this in API settings or switch to a zero-retention endpoint.

Data handling

Default data retention

30 days (API); zero by default (ChatGPT Enterprise, Azure OpenAI)

Zero-retention available

Yes

Via: ChatGPT Enterprise; Azure OpenAI Service

API data used for training

No

API data is not used to train OpenAI models by default. ChatGPT.com free tier may use conversations for model improvements unless opted out in settings.

GDPR Data Processing Agreement

Available

HIPAA Business Associate Agreement

Available

ChatGPT Enterprise; Azure OpenAI Service

Data residency options

US (default); EU and APAC regions available via Azure OpenAI

Vendor compliance certifications

SOC 2 Type IIISO 27001CSA STAR Level 2HIPAA (Enterprise / Azure OpenAI)PCI DSSFedRAMP High (Azure OpenAI)

Key use restrictions

  • No CSAM or sexual content involving minors
  • No instructions for creating weapons capable of mass casualties (biological, chemical, nuclear)
  • No cyberweapons or malicious code intended to cause significant damage
  • No content designed to facilitate real-world violence against specific targets
  • No election interference or voter suppression content

Safety documentation

Model card published
System card published
Red-team report published

GPT-4o System Card published May 2024. OpenAI Preparedness Framework published. Third-party red-team evaluations conducted by external safety researchers before release.

Safety documentation →

Related governance resources

Governance controls

AI Vendor Due Diligence

Assess AI vendors against security, governance, and compliance criteria before procurement and at defined intervals during the vendor relationship.

AI Contractual Requirements

Define minimum contractual provisions that must be present in agreements with AI vendors, covering data handling, transparency, audit rights, and incident notification.

AI Procurement Risk Assessment

Assess and document the risks of procuring an AI system or service before approval, including technical, legal, privacy, and operational risks.

AI Vendor Concentration Risk Assessment

Assess and manage the risk arising from organizational dependence on a small number of AI vendors or underlying model providers, and maintain a documented supplier redundancy posture to ensure operational continuity if a primary vendor is disrupted, suspends access, or becomes unavailable.

Third-Party AI Model Evaluation

Evaluate third-party AI models against defined performance, safety, and bias criteria before deploying them in enterprise workflows.

Playbook guides

How do we ensure third-party AI vendors meet our standards?

Extending vendor due diligence to cover model transparency, data handling, bias testing, and contractual liability for AI outputs.

How do we maintain data privacy compliance when using AI?

Addressing training data sourcing, data minimization, cross-border transfers, and the right to explanation under GDPR and CCPA.

How are we managing third-party AI risks?

Governing the use of external AI APIs and vendor-embedded models, including data handling, documentation requirements, and ongoing monitoring.

← All tracked models