ChatGPT Enterprise and Claude for Business: How to Use OpenAI and Anthropic Safely in Your Organisation

OpenAI's ChatGPT and Anthropic's Claude are now standard enterprise tools alongside Microsoft Copilot. OpenAI surpassed $25 billion in annualised revenue by May 2026 and is exploring a potential public listing in late 2026. Anthropic is approaching $19 billion in annualised revenue. Both have business and enterprise tiers (ChatGPT Enterprise, Claude Team, Claude Enterprise) that offer stronger data protection than consumer versions. Understanding how to use these tools safely, how their governance controls differ from Microsoft Copilot, and what vendor contract terms matter is essential for any organisation adopting them — which, in 2026, is most organisations.

What enterprise tiers actually provide

ChatGPT Enterprise (OpenAI) offers SOC 2 Type II compliance, encrypted data at rest and in transit, a contractual commitment that customer data is not used to train OpenAI's models, custom data retention controls, admin console for user management, single sign-on, and audit logging. Claude Enterprise (Anthropic) offers similar protections: SOC 2 Type II, data encryption, contractual exclusion from model training, audit logs, SSO, and admin controls. Both tiers provide what is effectively a Microsoft Enterprise Data Protection equivalent — but with one critical difference from Copilot.

The key difference: ChatGPT and Claude do not inherit your permissions

Microsoft Copilot honours existing Microsoft 365 permissions — if a user does not have access to a SharePoint document, Copilot cannot surface it to them. ChatGPT and Claude do not work this way. They have no inherent knowledge of your organisation's permission structures. They only see what is pasted into a prompt, uploaded as a file, or made available through a custom GPT/Project with retrieval. This is a feature, not a bug: it means ChatGPT and Claude cannot accidentally surface overshared SharePoint content the way Copilot can. But it also means users can paste any data they have access to (or any data they shouldn't have access to) into the prompt, with no permission check.

Custom GPTs and Claude Projects as governance objects

Both platforms support custom AI assistants pre-configured with instructions, files, and behaviours. ChatGPT calls these GPTs. Claude calls them Projects. These are powerful — a custom GPT or Project loaded with your company knowledge base, configured with specific instructions, can dramatically improve AI productivity for routine tasks. But each custom GPT or Project is a governance object that requires documentation (what is it for?), access control (who can use it?), content review (is the knowledge base accurate and appropriately sourced?), update management (when does the knowledge base get refreshed?), and lifecycle management (when is this GPT retired?). Organisations adopting custom GPTs and Projects without governance accumulate them rapidly — and lose track of what is configured how.

OpenAI GPT-5.5 Instant and Anthropic Project Glasswing

In May 2026, OpenAI launched GPT-5.5 Instant — a faster, more capable model now available through ChatGPT and the API. Anthropic launched Project Glasswing, providing select organisations (AWS, Apple, Cisco, Google, JPMorgan Chase, Microsoft) with early access to Claude Mythos Preview to identify and fix critical software vulnerabilities. The pace of model updates is significant: organisations should not assume the AI capabilities they tested six months ago are still representative. Each major model update can change capability profiles, safety behaviours, and failure modes.

Vendor contract terms that matter

Beyond the standard SaaS terms, AI-specific vendor contracts should address: data residency (where is your data processed and stored?), audit rights (can you conduct security and compliance audits of the AI provider?), model update notifications (will you be informed when the underlying model changes?), incident reporting (what is the provider's obligation when their AI system has a security incident or material capability change?), training data exclusion (explicit confirmation that your data is not used for training, including for fine-tuning or model improvement), data deletion (how is your data deleted when you terminate the contract?), and AI-specific liability provisions (what happens if the AI produces incorrect outputs that cause harm?). For APRA-regulated entities, CPS 230 vendor management requirements apply to AI providers as material service providers.

Practical deployment principles

Establish clear policies on what data can and cannot be entered into ChatGPT/Claude — separate from the policies for Copilot, because the permission inheritance is different. Train users to understand that they are responsible for the data they paste into prompts — these tools cannot automatically prevent disclosure of data the user has access to. Establish governance for custom GPTs and Projects — including registration, approval workflows, and periodic review. Monitor usage through admin dashboards and audit logs. Plan for model updates — establish a process for evaluating new model versions before they affect production workflows. Maintain awareness of broader AI ecosystem developments (Project Glasswing, GPT-5.5, etc.) — what these tools can do is changing monthly.

Sources: OpenAI Enterprise Privacy | Anthropic Legal & Compliance

Related reading

• Microsoft Copilot Enterprise Governance
• AI Vendor Contracts Guide
• Shadow AI Governance Guide