# Sharing, governance, and custom gpts at work
A Custom GPT can live in exactly three states: private to you, shared by link to anyone who has the URL, or published to the GPT Store. Choosing the wrong state is how a sales enablement GPT ends up indexing your unreleased pricing, or how a "quick internal helper" becomes a support burden no one owns. This lesson is about getting those choices right before a team depends on the thing.
When you build a GPT in the editor, the Share dialog gives you:
The distinction that trips people up: inside a workspace, sharing is bounded by the workspace. A link-shared GPT is reachable by colleagues, not the open internet, when your admin has locked external sharing down. Verify this assumption before you treat "link only" as "internal only." See OpenAI's overview of Custom GPTs in Team and Enterprise.
This is the part most builders get wrong. When you share a GPT, you share its configuration: the instructions, the conversation starters, the enabled capabilities (web search, Code Interpreter, image generation), any Actions (APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.View full definition → calls it can make), and any files you uploaded to its Knowledge.
Those Knowledge files matter. If you uploaded a spreadsheet of internal margins so the GPT could reason over it, every user of that GPT can extract that content. A determined user can ask the GPT to print its instructions or dump its knowledge files verbatim, and it often will. Treat anything in a GPT's configuration as readable by everyone who can use it.
Let's make this real. Your RevOps team wants a "Deal Desk Assistant" GPT that helps account executives draft quote approvals. It needs to:
1. Answer questions from an internal discounting policy (a PDF).
2. Look up live deal data from your CRMCRMCustomer Relationship Management: software and strategy to manage and analyse customer interactions throughout their lifecycle.View full definition →.
3. Draft a structured approval request.
Here is how the three concerns (sharing, governance, data/security) play out across that build.
The audience is "AEs in our workspace," not the public. So this is a workspace-published GPT, owned by the RevOps admin account, not by an individual who might leave the company. Ownership is governance: a GPT owned by a departed employee is a GPT no one can update.
In Enterprise, an admin can set who is even allowed to *build* and *publish* GPTs, and can review what gets published to the internal store. If you are the builder, find out your workspace's policy before you invest a week in something IT will block.
You attach the policy PDF as Knowledge. Two security questions immediately:
A static PDF is easy. Live data is where governance gets serious. To pull deal records, the GPT needs a GPT Action: an OpenAPI schemaschemaA schema is the formal blueprint that defines how data is structured, named, typed, and related within a database, file, or message.View full definition → describing an endpoint the GPT can call, plus an authentication method.
Here is a minimal Action schemaschemaA schema is the formal blueprint that defines how data is structured, named, typed, and related within a database, file, or message.View full definition → for a read-only deal lookup:
openapi: 3.1.0
info:
title: Deal Lookup
version: "1.0.0"
servers:
- url: https://api.internal.example.com
paths:
/deals/{dealId}:
get:
operationId: getDeal
summary: Fetch a single deal by ID
parameters:
- name: dealId
in: path
required: true
schema: { type: string }
responses:
"200":
description: Deal record
content:
application/json:
schema:
type: object
properties:
id: { type: string }
amount: { type: number }
stage: { type: string }
discountPct: { type: number }Three governance rules for Actions that matter more than the schemaschemaA schema is the formal blueprint that defines how data is structured, named, typed, and related within a database, file, or message.View full definition →:
GET, not POST/DELETE. The narrower the APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.View full definition → surface, the smaller the blast radius.The "draft an approval request" job benefits from a consistent shape. In the GPT instructions, specify the exact output template. You don't get the APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.View full definition →'s JSON-schemaschemaA schema is the formal blueprint that defines how data is structured, named, typed, and related within a database, file, or message.View full definition →-enforced structured outputs inside a Custom GPT, that is an APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.View full definition → feature, but a well-specified instruction plus a conversation starter gets you reliable formatting for human-facing drafts.
If the team later needs *guaranteed* machine-readable output (for example, to auto-file approvals), that's the signal to graduate from a Custom GPT to an APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.View full definition → integration using the Responses APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.View full definition → with structured outputs. More on that boundary below.
Run this checklist with whoever owns risk. None of these are optional for a GPT a team relies on.
Data classification. What is the most sensitive data this GPT can touch, through Knowledge files *and* through Actions? Classify to that level and apply your existing handling rules. The GPT does not get a special exemption.
Identity and access. Who can use it? In Enterprise, GPT access can be scoped, and SSO governs who is in the workspace at all. Confirm that offboarding (someone leaves) actually removes their access. It does, if access flows through the workspace, but verify for link-shared GPTs.
Auditability. Enterprise workspaces offer admin controls, usage visibility, and the Compliance APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.View full definition → for retrieving conversation and audit data. If you need to answer "who asked the Deal Desk Assistant about deal X," you need this in place *before* launch, not after an incident. See Enterprise compliance and admin features.
Memory and Projects. Be aware of where state lives. Memory and custom instructions are per-user personal context, not part of the GPT's shared config, so they won't leak between users. But if your team works inside a shared Project, files and instructions added to that Project are shared with Project members. Don't confuse a Project (a shared workspace for chats and files) with a Custom GPT (a configured assistant). They have different sharing models.
The hallucination boundary. A Deal Desk Assistant that *sounds* authoritative about discount policy can confidently invent a threshold. Decide what it is allowed to be the source of truth for. Good practice: instruct it to cite the policy section and to refuse rather than guess when the policy is silent.
Knowledge check
1. According to the lesson, how many distinct visibility states can a Custom GPT exist in?
2. Inside a Team or Enterprise workspace with external sharing locked down, what does the 'Anyone with the link' option effectively mean?
3. A teammate publishes a Custom GPT to your Team workspace's internal store. What is the key difference between this and publishing to the public GPT Store?
4. Select ALL correct answers about what actually travels when you share a Custom GPT's configuration.
Sélectionnez toutes les réponses correctes.
5. Select ALL correct answers about the security risks of uploading files to a Custom GPT's Knowledge before sharing it.
Sélectionnez toutes les réponses correctes.
Custom GPTs are excellent for human-in-the-loop, conversational workflows inside ChatGPT. They are the wrong tool when:
The migration path for our scenario: if RevOps later wants approvals filed automatically, the same OpenAPI tool becomes a function/tool the model calls programmatically. Here is the shape in the Responses APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.View full definition →:
from openai import OpenAI
client = OpenAI()
response = client.responses.create(
model="gpt-4.1",
input="Draft an approval for deal D-8842 and flag if discount exceeds policy.",
tools=[{
"type": "function",
"name": "getDeal",
"description": "Fetch a single deal by ID",
"parameters": {
"type": "object",
"properties": {"dealId": {"type": "string"}},
"required": ["dealId"],
},
}],
)
print(response.output_text)Same business logic, but now *your* code controls authentication, runs the actual getDeal call, and can enforce policy in code rather than hoping the prompt holds. The Responses API docs cover the full tool-calling loop.
The rule of thumb: a Custom GPT is a shared configuration, not a controlled application. The moment you need real access control, audit guarantees, or deterministic behavior, you have crossed into APIAPIApplication Programming Interface: a standardised interface that lets applications communicate and exchange data without knowing each other's internal workings.View full definition → territory.