OpenAI gets FedRAMP Moderate for ChatGPT Enterprise and API

OpenAI has received FedRAMP 20x Moderate authorization for ChatGPT Enterprise and the OpenAI API Platform.

Facts: OpenAI said on April 27, 2026 that ChatGPT Enterprise and its API Platform are now available under FedRAMP Moderate for U.S. federal agencies. The authorization covers use of OpenAI’s managed products in environments where security, privacy and governance must be documented before procurement and production use. OpenAI also says agencies can access GPT-5.5 in the FedRAMP environment, and that Codex Cloud is expected to become available through FedRAMP ChatGPT Enterprise workspaces.

This is not a Norwegian or European public-sector certification, and it does not automatically make OpenAI suitable for every regulated use case. The important signal is different: major AI providers are moving from general productivity tools toward auditable, procurement-ready platforms for organizations with strict control requirements.

For CIOs, the evaluation of generative AI now has to become more concrete. The question is no longer only whether the model is capable enough. It is whether the provider can document its control environment, logging, data handling, responsibility split and change management in a way that can survive internal audit, supervisory scrutiny and procurement processes. FedRAMP 20x emphasizes cloud-native security evidence, Key Security Indicators, automated validation and ongoing visibility. Those are the same types of evidence enterprises will need when AI moves from pilots to production.

The leadership consequence is twofold. First, OpenAI becomes easier to evaluate for controlled environments, especially where ChatGPT Enterprise or APIs are intended to replace informal shadow AI with managed internal platforms. Second, competitors such as Microsoft, Google, Anthropic and Mistral will face pressure to show comparable maturity in certifications, data zones and trust portals.

The practical recommendation is to update AI vendor requirements now. Ask for evidence on data residency, access controls, model and feature changes, incident handling, subcontractors and log export. Separate informal chatbot use from controlled enterprise workspaces and API integrations in case handling, software delivery or customer dialogue. That is where the real risk, cost and value sit.

Assessment: FedRAMP Moderate is most directly relevant to the United States. For Norwegian and European leaders, however, it is a maturity signal. AI platforms that cannot document security and governance in procurement language will face a harder path into core business processes.