Most Australian teams roll out ChatGPT in a hurry. Someone signs up, shares the login, adds a few colleagues, and within a week half the office is pasting work into the same account from laptops, home desktops, and phones. That speed is fine until a contractor leaves, a laptop goes missing, or someone signs in on a hotel computer in Sydney and forgets to sign out. Active sessions are the part of ChatGPT that show you who is actually logged in right now, and they are the first place to look when you want account security to keep pace with your rollout.
What ChatGPT active sessions actually show you
An active session is any place your ChatGPT account is currently signed in: a browser tab, the desktop app, or the phone app. On most plans you will find the list under Settings and then the Security area. ChatGPT keeps you logged in for a long time so you are not retyping passwords every morning, which is convenient and also the reason a forgotten session can sit open for weeks. The point of reviewing the list is simple: end the sessions you do not recognise before anyone else makes use of them.
The device and app type, such as a Chrome browser on Windows or the iOS app
The rough location and the last time that session was active
Which session is the one you are using right now, so you do not lock yourself out by accident
A single control to sign out of every other session at once
Why a stale session is a quiet risk
A login that never expires outlives the reason it was created. The departed contractor still has access from a personal laptop. The shared account stays open on a machine in a coworking space. None of this trips an alarm, because nothing was hacked; the door was simply left unlocked. Under the Privacy Act and the Australian Privacy Principles, your business is responsible for the personal information your team feeds into any tool, an AI assistant included. If that information walks out through a session nobody closed, the duty to assess and, where required, report the breach to the OAIC still sits with you.
Put a number on it. If you scope a serious breach response at $45,000 for a small Sydney business once you count investigation, legal review, and customer notification, twenty minutes of session hygiene each quarter stops looking optional. For a larger team holding client data under contract, a single avoidable incident can run past $120K before you reach the reputational cost.
A 20-minute lockdown for your team
Here is the practical sequence. You can run it solo on a personal Plus account or as an admin for a Team or Enterprise workspace, and none of it needs a security background. Block twenty minutes, work from the top down, and write down what you changed.
Open account settings, review the active sessions list, and sign out of any device or location you cannot place
Use the log out of all devices control after any laptop loss, role change, or contractor departure
Turn on multi-factor authentication so a leaked password on its own cannot start a new session
For Team and Enterprise workspaces, route sign-in through your single sign-on provider so access follows your staff directory
Remove departed members from the workspace the same day they leave, which revokes their sessions along with their seat
Set a recurring quarterly reminder to repeat the review so it does not depend on memory
Where SSO and the Privacy Act fit
Single sign-on is the difference between chasing individual logouts and governing access from one place. On ChatGPT Enterprise and Team plans, connecting an identity provider such as Microsoft Entra ID or Okta ties a person's ChatGPT access to their company account. Disable that company account during offboarding and the ChatGPT sessions go with it. SCIM provisioning goes further, adding and removing members automatically as your directory changes, so you are not relying on someone remembering to click remove.
This matters for compliance because the Privacy Act expects reasonable steps to protect personal information, and reasonable is judged against the controls that were realistically available. Session management, multi-factor authentication, and single sign-on are standard, low-cost controls. Skipping them is hard to defend if the OAIC ever asks how access was governed. Keeping a short written note of your review cadence helps too, because it shows the control exists on purpose rather than by luck.
Make it a standing control, not a one-off
A session review only protects you if it happens more than once. Tie it to events you already track: every time someone joins or leaves, every time a device is replaced or a phone is upgraded, and on a fixed quarterly date in the calendar. Teams that fold this into their offboarding checklist rarely think about it again, because the work moves from memory into process where it belongs.
Whether your team settles on ChatGPT, Claude, or runs both side by side, the discipline is identical: know who is signed in, close what you do not need, and let your identity provider carry the load. At Automata AI we set this up for Australian teams as part of a wider AI governance baseline, so the tools your staff rely on do not quietly become the weakest link in your security.
Want a second set of eyes on how your team signs in to its AI tools? Book a brainstorm and we will map a simple, Privacy Act-ready access plan you can run yourself.
