ChatGPT Shared Projects for Compliance Teams

U.S. legal and compliance teams don’t lose time because they’re slow. They lose time because work context is scattered—in email threads, deal rooms, Teams chats, shared drives, and half-finished docs that only one person knows how to find.

That’s why the newest workplace updates to ChatGPT matter for this “AI in Legal & Compliance” series. OpenAI is pushing beyond the “smart chat” phase and into something compliance leaders actually care about: AI that works inside real workflows. The big moves are (1) shared projects that keep a living case file, (2) connectors that pull the right information from the tools you already run on, and (3) stronger admin and compliance controls to make risk teams comfortable rolling AI out broadly.

If you’re responsible for policy, privacy, contract risk, investigations, or regulatory reporting, here’s the practical truth: these features are less about novelty and more about operationalizing AI across a team without losing governance.

Shared projects: a “living matter file” for AI-assisted work

Shared projects are a direct answer to a common failure mode in AI adoption: every chat starts from scratch, so output varies by user, and institutional knowledge never sticks.

A shared project centralizes the things compliance work runs on—background docs, standard language, playbooks, timelines, and team instructions—so each person’s new chat starts from the same baseline. Think of it as a collaborative workspace with a persistent memory, built for ongoing work rather than one-off prompts.

Where shared projects fit in legal & compliance

For compliance teams, shared projects map cleanly to how work is already organized:

• Vendor and procurement risk: questionnaires, SOC reports, DPAs, security addenda, and exception logs
• Contract review: clause library, fallback positions, redlines, and approval rules
• Regulatory change management: new guidance, internal interpretations, impacted policies, implementation checklists
• Investigations and incident response: timelines, interview notes, evidence inventories, draft reports

The win is consistency. When a shared project includes approved definitions, risk tolerances, and tone, the AI stops “making it up” stylistically. You get fewer outputs that look plausible but don’t match your program.

Chat vs. edit access: a small detail with big governance impact

Shared projects include two permission levels—chat access and edit access. That sounds basic, but it’s exactly the kind of control compliance leaders need.

Here’s how I’d structure it in most organizations:

• Edit access: compliance leadership, legal ops, or a small “AI standards” group that maintains instructions, templates, and the canonical documents
• Chat access: the broader compliance, privacy, procurement, and security partner groups who need to use the content but shouldn’t rewrite it

This keeps the project from turning into a messy shared drive folder where everyone “fixes” the template.

Private project memory: helpful—if you set boundaries

Projects have their own memory so users can pick up work without re-explaining everything. That’s a big productivity boost for long-running matters.

It also demands a policy stance: decide what should and should not be placed into project memory.

A practical approach:

• OK: approved clauses, policy language, control descriptions, high-level summaries, non-sensitive meeting takeaways
• Caution: employee data, detailed customer incident data, privileged advice, unreleased financial metrics

Your governance goal isn’t “never use memory.” It’s to use memory intentionally, aligned with your data classification rules.

Connectors: AI-powered answers from the tools you already trust

Connectors matter because compliance work is mostly “find, verify, summarize, draft.” If AI can’t see the right documents (with the right permissions), it can’t be reliable.

ChatGPT connectors can pull relevant context from common workplace systems—email, calendars, team chat, file storage, and developer tools—so the model can answer based on your actual company content instead of generic assumptions.

What this changes for compliance operations

Instead of asking someone to “send me the latest version,” teams can ask ChatGPT to locate and synthesize what already exists.

Examples that translate well to compliance workflows:

1. Meeting preparation: Pull recent threads and documents related to a vendor review, then draft an agenda and questions
2. Policy work: Find the latest policy template and draft an update in the same structure
3. Audit readiness: Collect evidence artifacts listed in a control testing checklist and summarize gaps
4. Contract support: Summarize prior negotiation history from emails and shared docs to maintain consistency with past positions

This matters because compliance mistakes often start as information mistakes: using an outdated policy, missing a key email, or quoting an old clause.

Auto-selection of connectors reduces user error

A subtle but meaningful improvement: ChatGPT can now decide when it should use a connector (versus relying on its training or web search). In real teams, that’s a big reduction in “operator error.”

Compliance teams don’t want a new training burden where every employee must remember which connector to toggle in each chat. The more the system chooses the right data source automatically, the more likely adoption will stick.

Synced connectors: speed and reliability during “deadline weeks”

Compliance work is seasonal. Think:

• end-of-quarter sales contracting
• annual SOC 2 / ISO audits
• year-end board reporting
• post-incident remediation windows

Synced connectors (where data can be synchronized ahead of time for certain sources) are valuable because they reduce latency and improve answer quality when everyone is asking for summaries and status updates at once.

I’m opinionated here: if your team tries AI and it feels slow or incomplete, they’ll abandon it fast—especially in legal and compliance, where patience is low and stakes are high.

Security, privacy, and compliance controls: what risk teams will actually ask

Rolling out AI to a compliance org isn’t a product decision—it’s a risk decision. The updates highlighted by OpenAI align with the questions counsel and security teams raise immediately:

Compliance certifications: table stakes for enterprise adoption

OpenAI’s certification list now includes ISO/IEC 27001, 27017, 27018, and 27701, and an expanded SOC 2 scope that includes Security, Confidentiality, Availability, and Privacy.

For U.S. enterprises, this shortens the vendor review cycle because these frameworks map to how third-party risk programs are already structured.

Role-based access controls (RBAC): control who can use what

RBAC is where AI becomes manageable at scale. It supports a real-world compliance model:

• the compliance team can enable connectors for a subset of users
• projects can be allowed for some groups and restricted for others
• high-risk capabilities can be gated behind approval

The goal is simple: broad access to safe use cases, narrow access to risky ones.

Expanded SSO and optional IP allowlisting

Single sign-on improvements and IP allowlisting help meet corporate security expectations—especially in regulated industries and organizations with strict remote access policies.

For compliance leaders, the practical takeaway is this: these controls make it easier to say “yes” to AI because they reduce the blast radius of a bad configuration.

Five high-value use cases for U.S. legal & compliance teams

These aren’t theoretical. They’re the workflows where shared projects + connectors tend to create measurable time savings.

1) Contract review playbooks that don’t drift

Build a shared project around your standard positions:

• clause library with fallback tiers
• approval thresholds (what needs legal vs. compliance vs. security sign-off)
• common customer pushbacks and your preferred responses

Result: faster first-pass reviews and fewer internal escalations caused by inconsistent guidance.

2) Regulatory change tracking that produces action, not just summaries

Use connectors to pull internal policy docs and past interpretations, then keep a shared project with:

• the regulation summary
• “what changes for us” decisions
• implementation checklist by function

Result: one place to align legal, compliance, product, and ops.

3) Investigation support with better documentation hygiene

Create an incident/investigation shared project with:

• timeline template
• interview note structure
• evidence index format
• draft report outline

Result: cleaner work product and less rework when a regulator or auditor asks for “how you got here.”

4) Audit evidence requests that don’t turn into a scavenger hunt

Audits often fail on coordination, not controls. Use connectors to locate evidence artifacts and summarize:

• what exists
• what’s missing
• what’s stale
• who owns the update

Result: fewer last-minute escalations and less time spent assembling “proof of work.”

5) Compliance communications that stay on message

A shared project can contain your approved tone and phrasing for:

• customer security questionnaires
• privacy disclosures
• policy acknowledgments
• internal training reminders

Result: fewer ad hoc messages that create legal exposure or contradict policy.

Implementation checklist: how to roll this out without creating new risk

Most companies get AI rollout wrong by treating it like a single tool purchase. It’s a program.

Here’s a lightweight rollout approach that works well in legal and compliance settings:

1. Pick one workflow with a clear owner (vendor risk, contracts, audits—not “everything”)
2. Create one shared project as the source of truth (templates, instructions, approved language)
3. Limit edit access to a small governance group
4. Enable only the connectors you need for that workflow first
5. Define a red-line data policy (what must never be pasted or uploaded)
6. Measure two numbers for 30 days:
   • cycle time (e.g., days to complete vendor review)
   • rework rate (how often outputs must be corrected)

If those numbers improve, you’ve earned the right to expand to the next workflow.

What this signals for AI-powered digital services in the U.S.

These updates are a strong signal that AI in the U.S. digital economy is shifting from experimentation to infrastructure. Shared projects and connectors turn AI into something closer to a work operating layer—the place where documents, communications, and team decisions meet.

For the “AI in Legal & Compliance” series, the bigger story is governance. When AI can access the right content and teams can collaborate in a controlled workspace, you can finally scale assistance without losing policy discipline.

The next smart question for compliance leaders isn’t “Should we use AI?” It’s: Which workflows deserve an AI workspace, and what controls make that safe enough to run every day?