OpenAI Adds Session Controls, But Model Updates Pose Bigger Governance Challenge
OpenAI introduced Active sessions, a security feature that lets users see where they're logged in and remotely sign out of specific devices. The feature is now available across all ChatGPT accounts, including workspace versions used by enterprises.
The capability addresses a long-standing gap. Organizations previously had limited visibility into user login locations and relied on blunt tools like password resets to force re-authentication. Active sessions shows device type, browser, approximate location, sign-in time, and whether a device is trusted.
Users access the feature through Settings > Security > Active sessions, where they can log out of individual sessions or all devices at once. Admins can view sessions across ChatGPT, Codex, and the API Platform.
A basic feature, long overdue
Security experts call the addition necessary but overdue. "The reality of OpenAI offering the ability to end active sessions is that it's something that exists in lots of platforms," said David Shipley of Beauceron Security. "They should've had it sooner, but better late than never."
The feature has clear limits. It doesn't show connected third-party apps, sessions through single sign-on systems, or recently logged-out sessions. OpenAI says session details may be approximate or incomplete.
From a governance angle, the visibility matters. It allows administrators to identify unauthorized access and terminate stale sessions before they become security liabilities. For regulated industries, this kind of audit trail supports compliance requirements.
The real problem: constant model changes
Session controls address access management. The bigger headache for enterprises is something else entirely: OpenAI's continuous model updates.
Last week, OpenAI updated GPT-4.5 Instant to improve response quality and readability. Earlier in May, it released GPT-4.5 Instant as a successor to GPT-4.3 Instant. These iterations happen regularly, each one changing how the model behaves.
This creates a fundamental governance problem. Organizations typically test and approve a model for production use before deployment. But when the same model version changes behavior under the hood, those approval decisions become outdated.
"The biggest governance challenge in AI is not model adoption, it's model change," said Ensar Seker, CISO at SOCRadar. "Most organizations can evaluate a model once. Far fewer are prepared to continuously evaluate how that model evolves over time."
For compliance teams in regulated industries, this is especially problematic. Auditability, repeatability, and change management are requirements. When a model shifts behavior without clear notice, those requirements become harder to meet.
Organizations lack tools to keep up
The pace of updates outstrips traditional security review cycles. Teams are expected to manage rapidly evolving models, new features, and changing behaviors while maintaining compliance and risk management. That's a mismatch.
Many organizations can't assess how model iterations affect their risk boundaries. Worse, they're often unaware updates happened at all. "Without the ability to opt out before it's incorporated, enterprises are basically red-teaming the updates with their clients," said Valence Howden, advisory fellow at Info-Tech Research Group.
Enterprises lack resources to continuously validate models the way they validate static software. Existing governance practices are weak, and speed-focused cultures often treat governance as an obstacle rather than a requirement.
What organizations should do
Treating AI models as living systems rather than fixed software is the first step. Seker said security and governance programs should include continuous validation, monitoring, and periodic re-assessment instead of one-time approval processes.
Organizations should also establish clear expectations with vendors around change management. This means requiring transparency about model updates, behavioral changes, and potential workflow impacts.
"Effective AI governance increasingly depends on visibility into change, not just visibility into risk," Seker said.
For managers overseeing AI adoption, this means building governance into the operational model from the start, not bolting it on after deployment. The question isn't whether models will change - they will. The question is whether your organization can track and assess those changes before they affect your business.
Learn more about AI for Management and Generative AI and LLM fundamentals to build stronger governance practices.
Your membership also unlocks:
