When is a ChatGPT conversation a business record?

When the content relates to client business, investment recommendations, trading activity, firm operations, regulated services, or any other category of communication or record covered by existing rules. SEC Rule 17a-4, FINRA Rule 4511, and the Investment Advisers Act recordkeeping requirements (Rule 204-2) are channel-agnostic. The content of the communication, not the form factor of the interface, is what regulators have historically used to determine whether the obligation is implicated. A ChatGPT session in which an employee drafts a client recommendation, summarizes an analyst report, or reviews flagged communications is plausibly producing the same category of records an email would, and a firm should evaluate this question with its counsel.

What is the difference between ChatGPT and ChatGPT Enterprise for compliance?

ChatGPT Enterprise is OpenAI's offering for organizations that need administrative controls, SAML SSO, custom data retention, and a compliance API. ChatGPT Team and consumer-tier ChatGPT do not offer the same compliance hooks. If employees in a regulated firm are using consumer or Team ChatGPT for business work, there is no vendor-supported way to capture that activity through OpenAI's API. The activity is still subject to existing recordkeeping rules. The vendor capture path is what changes.

What about custom GPTs and GPT Actions?

Custom GPTs (configured assistants with specific instructions and knowledge files) and GPT Actions (HTTP integrations a GPT can call) introduce additional capture surface area beyond the chat transcript. The OpenAI Compliance Platform's own description includes 'workspace GPT configuration and metadata' alongside conversations and files. What each archive vendor's integration exposes from that surface area in examiner-ready form - specifically GPT Action arguments and results, knowledge retrievals, and execution context - is not consistently documented across vendor public materials as of 2026-05-15. A firm relying on this capture path for regulated activity should ask its vendor for dated documentation of what is and is not in the export.

What evidence is an examiner likely to ask for?

Expect requests in the form 'show me everything this employee did with AI on [date] relating to [client / matter / ticker].' For a ChatGPT session, a defensible answer includes the prompt and response (covered by current vendor capture), the system prompt the AI was operating under, attached knowledge files used, retrievals performed, tool calls or Actions invoked with arguments and results, the model identity and version, and any policy decisions made. The chat is a portion of this. The rest is execution context.

Are ChatGPT conversations business records?

Q: What does current vendor capture of ChatGPT actually cover?

As of public materials reviewed 2026-05-15, the major compliance archive vendors have shipped or are in progress on ChatGPT Enterprise integrations via the OpenAI Compliance Platform. OpenAI lists Global Relay as currently supporting updated conversation logs, with Smarsh and Microsoft Purview in progress for the same data type while supporting other data types. The Compliance Platform itself includes conversations, uploaded files, memories, users, and workspace GPT configuration and metadata. What each vendor exposes in an examiner-ready export beyond the chat transcript - specifically GPT Action arguments and results, knowledge file retrievals, and execution context - is not consistently documented across vendor public materials. If a specific capability matters, ask the vendor for dated documentation. Activity on ChatGPT Team or consumer tiers is not covered by the Compliance Platform path.

Part of: AI Activity Retention

AI Activity Retention for Regulated Firms The category overview - what AI activity retention means, what the two-layer record format covers, and how Arc spans human channels and AI execution.

A ChatGPT session that produces a client recommendation, drafts a piece of marketing copy that will go out under the firm’s name, or summarizes regulated communications for a compliance review is producing business records under existing rules. It’s the content that determines the obligation, not the interface.

This page covers what current compliance vendor capture actually preserves of a ChatGPT session, what it misses, and what a firm should expect to produce if an examiner asks.

When ChatGPT activity is likely a record

The existing recordkeeping framework is channel-agnostic. The same logic that applies to email, instant messaging, and mobile messaging plausibly applies to AI tool activity. If the content of the communication or activity relates to:

Client business, accounts, or recommendations
Trades, orders, or transactions
Marketing or solicitation material
Compliance review of business communications
Firm operations and personnel decisions in a regulated context
Any other category of activity covered by the firm’s recordkeeping obligations

The activity may be a record under existing rules. ChatGPT being the interface does not change the underlying obligation. Whether the firm has captured the activity, and in what fidelity, determines whether the firm can produce the record on examiner request.

This is the same logic the SEC and FINRA pursued during the 2021-2024 off-channel sweep. The activity was happening in WhatsApp, Signal, and iMessage. The firms had not captured it. The penalties followed. Whether AI activity follows the same enforcement pattern is not yet established, but the regulatory framework that would support that path is in place.

What ChatGPT actually produces

A modern ChatGPT session is not a simple prompt-response transcript. Depending on configuration, it may include:

User prompts and responses. The text the employee typed and the text the model produced.
File uploads. Documents, spreadsheets, and other files attached to the conversation. These often contain client or firm data.
Knowledge file retrievals. If a custom GPT is configured with knowledge files, the GPT retrieves content from those files during the conversation. The retrievals shape what the model says.
Tool calls and GPT Actions. A configured GPT can call external HTTP APIs — GPT Actions are integrations that let a custom ChatGPT call external systems on the user’s behalf. These are the AI taking real action against real systems.
Code interpreter execution. ChatGPT can run Python code in a sandboxed environment. The code that ran and the data it produced are part of the session.
Web browsing. When enabled, ChatGPT can fetch web pages. The URLs visited and content retrieved are part of the session.
Memory. Personalized context the model has stored about the user across sessions.

A captured chat transcript covers the first item. Some of the second item (file uploads) is captured by the OpenAI Compliance API. The rest sits in a layer that current vendor capture generally does not address.

What current vendor capture covers

As of public materials reviewed on 2026-05-15, ChatGPT Enterprise vendor capture sits on the OpenAI Compliance Platform. OpenAI lists Global Relay as currently supporting updated conversation logs, with Smarsh and Microsoft Purview listed as in progress for updated conversation logs while supporting other data types. Smarsh publicly documents its ChatGPT Enterprise integration. Global Relay has announced its integration. Microsoft Copilot capture is publicly documented by Smarsh and Theta Lake; we did not find equivalent ChatGPT Enterprise capture documentation from Theta Lake as of this writing.

This is real progress. The chat-transcript layer is increasingly supported.

OpenAI’s own description of the Compliance Platform includes conversations, uploaded files, memories, users, and “workspace GPT configuration and metadata.” That is broader than a simple chat export. The practical question for a regulated firm is what each archive vendor’s integration exposes in examiner-ready form. Coverage of GPT configuration, knowledge file retrievals, GPT Action arguments and results, code interpreter activity, and memory state is not consistently documented across vendor public materials as of 2026-05-15. If a specific capability matters for a firm’s compliance posture, request current documentation and dated screenshots from the vendor.

Two coverage gaps are widely understood today:

Tool calls and GPT Actions inside the session. A custom GPT can invoke external HTTP APIs (Actions) on the user’s behalf. Whether the resulting arguments and return values surface in an examiner-ready export through the Compliance Platform is not publicly documented by archive vendors in a way that lets a firm rely on it without verification.
ChatGPT Team and consumer-tier ChatGPT. Compliance Platform integration is an Enterprise-tier feature. Activity on Team and consumer tiers is not captured through the same path. The activity still happens. The recordkeeping consideration still applies.

What regulators have actually said

The SEC’s 2026 examination priorities flag AI governance and AI-assisted activity as a focus area. Examiners are directed to assess whether firms have policies governing employee AI use, whether the policies are enforced, and whether records of AI-assisted activity are being retained.

FINRA’s 2026 Annual Regulatory Oversight Report and Notice 24-09 signal that existing recordkeeping rules apply to AI-generated communications in the same manner as any other business communication.

Regulators have not issued explicit guidance that a ChatGPT prompt is a record, that a GPT Action call is a record, or that a custom GPT’s system prompt must be preserved. The framework that would implicate this activity (Rule 17a-4, Rule 4511, Rule 204-2) already exists. Explicit AI-specific rulemaking does not. A defensible compliance posture, developed in consultation with the firm’s counsel, often preserves activity the existing framework appears to cover rather than waiting for new rulemaking.

What an examiner is likely to ask for

Examination requests typically arrive in plain language and ask for activity, not artifacts.

“Provide all communications and records relating to [matter] between [start date] and [end date], including any AI-assisted output.”

For a ChatGPT session, a defensible answer assembles:

The chat transcript (captured by current vendor integrations)
The files attached to the session
The system prompt of any custom GPT used
Knowledge file retrievals the GPT made during the conversation
GPT Action calls with arguments and results
The model identity and version
Tool surface (which Actions and capabilities the GPT had available)
Policy decisions and any lifecycle hooks that fired

If the firm has only the transcript, it can produce a description of what the AI said. If the firm has the full set, it can produce evidence of what the AI did.

Where the gap is widest

Three scenarios are worth flagging because current vendor capture has the least public coverage of them.

Custom GPTs with Actions, used at scale. A firm builds a custom GPT to assist with research, configures it with a detailed system prompt, attaches knowledge files containing internal data, and gives it Actions that call internal systems. An employee uses this custom GPT throughout the workday. The user prompts and the model responses are captured. Whether the GPT configuration, the knowledge retrievals, and the Action arguments and results land in an examiner-ready export depends on the specific vendor integration and is not consistently documented across vendor public materials as of 2026-05-15. A firm relying on these for regulated activity should verify with its vendor before assuming coverage.

ChatGPT Team and consumer-tier ChatGPT. Employees who use ChatGPT outside the Enterprise tier are not covered by the Compliance Platform. This is the same pattern as off-channel messaging when employees use messaging outside of the firm’s approved apps. The activity still happens. The recordkeeping consideration still applies. The vendor capture path does not exist for these tiers. A firm needs to either restrict to Enterprise tier or capture activity at a different layer (network, browser, or internal proxy).

Self-hosted AI. When a firm runs self-hosted AI on Ollama, vLLM, LiteLLM, Open WebUI, or similar infrastructure, there is no vendor compliance API to call. The activity still happens. The recordkeeping obligation still applies.

How Arc closes the gap

Arc is designed to capture both halves of an AI session:

The chat layer, where current vendor integrations are concentrated. Arc integrates with the OpenAI Compliance API and Microsoft Purview / Graph for Enterprise-tier capture (demo available today).
The execution layer, where current vendors are not. For ChatGPT-style activity, this means capturing tool calls and Action invocations through an integration point or proxy. For internal AI deployments (Ollama, vLLM, LiteLLM, Open WebUI, internal Copilot-style tools), Arc Bridge handles capture at the infrastructure layer. For MCP-driven agent activity, Arc Relay captures every tool call in production today.

The result is a single archive that holds both the chat transcript and the execution record - the same archive that already holds the firm’s WhatsApp, Signal, iMessage, and 40+ other communication channels. One examiner-ready format. One legal-hold workflow. One supervisor review queue.