What happened at Samsung in 2023
In April 2023, Samsung employees at multiple departments uploaded sensitive internal data to ChatGPT. One uploaded semiconductor source code asking for bug fixes. Another uploaded code seeking optimization suggestions. A third uploaded minutes from an internal meeting to generate notes. That data left Samsung's environment and entered OpenAI's servers, where it could be used to improve the model. Samsung investigated the incidents internally and disclosed them to employees. The company then banned all generative AI tools across the organization. It was a reactive ban, not a governance framework. The problem was not that ChatGPT existed. The problem was that employees had access to a consumer tool with no data handling policy, no access controls, and no guidance about what business data could go into an AI system. Data left because nothing was in place to define the boundary before the tool reached employees. The incidents were reported widely in 2023 by Bloomberg, Business Insider, and others, and became one of the most-cited examples of why companies need AI policies before tool deployment, not after.
What Samsung announced in June 2026
On June 21 and 22, 2026, OpenAI announced that Samsung Electronics was deploying ChatGPT Enterprise and Codex to all employees in South Korea and to all employees in its Device eXperience division globally. The deployment is part of Samsung's AX initiative, the company's AI transformation push announced in early June 2026. Samsung is also deploying Google Gemini Enterprise and Anthropic Claude alongside ChatGPT. This is not a single-vendor AI rollout. It is a structured, multi-vendor deployment covering software development, marketing, product development, manufacturing, and management functions across the global organization. The tools in this deployment are not the same as the consumer tools from 2023. ChatGPT Enterprise does not use business customer data to train its models. It includes data protection, user and access management, and security controls that the consumer version did not offer at the time of the leak. The same protections apply to the enterprise versions of Google Gemini and Anthropic Claude deployed alongside it. Training for the full global workforce is expected to complete by the end of 2026.
What Samsung built in the three years between
The jump from a company-wide AI ban to one of OpenAI's largest enterprise deployments did not happen in a single step. In late 2025, Samsung SDS, Samsung's IT services arm, established a reseller partnership with OpenAI. That partnership made Samsung SDS the first Korean entity authorized to manage ChatGPT Enterprise deployments, both internally and for other businesses. Building that structure required time: legal review, data governance alignment, security controls configuration, access policy creation, and a tiered rollout plan designed to cover the global workforce over the course of 2026. The 2026 deployment was possible because Samsung built the governance layer before the tools reached employees at scale. The tools became available to the organization when the infrastructure around them was ready, not before. That sequencing is the entire lesson.
What business owners should not misread about this
The headline version of this story is tempting: Samsung tried AI, banned it, came back with a bigger rollout. The implied lesson is that companies eventually get comfortable with AI and the tools turn out to be fine. That reading gets the sequence wrong. Samsung's 2023 problem was a governance gap, not a tool problem. Employees had access to a consumer tool with no policy covering what business data could go into it. No one had defined what was acceptable. No one had set boundaries before access was possible. The 2026 deployment works differently because of the governance layer around the tools. ChatGPT Enterprise does not train on business data. Access is controlled through the organization's security policies. Data boundaries are defined before employees use the tools. A business that reads the Samsung story as validation for letting employees use whatever AI tools they want has misread the arc entirely. The lesson is the opposite: Samsung's ban lasted three years because they had to build the governance infrastructure that should have been in place before employees ever had access.
What the three-year arc teaches in practical terms
Samsung's path was: employees used an unapproved tool, sensitive data left the building, the company banned all AI tools, spent three years building the governance layer, and then deployed with proper controls. Most businesses are somewhere in that sequence right now. Some are pre-incident, with employees using AI tools the owner is not fully aware of. Some have already had a version of the 2023 moment, whether a data exposure incident or a realization that sensitive information has been passing through a consumer tool. Very few have completed the governance layer that makes a company-wide deployment viable. The practical order of operations to avoid the ban phase: First, find out what AI tools your employees are already using and what data is going into them. This is not a hypothetical. Your employees are using AI today. The question is whether you know what they are using and what boundaries are in place. Second, define what data may and may not go into any AI tool. One clear policy, one page, covering customer information, financial records, employee data, proprietary processes, and anything else your business treats as sensitive. This policy should exist before the next AI tool is added, not after. Third, when you deploy AI tools company-wide, choose versions with actual enterprise controls. ChatGPT Enterprise, Microsoft 365 Copilot, Claude for Enterprise, and Gemini for Workspace all offer data protection and access management that consumer accounts do not. Those controls exist for a reason. Fourth, train before you roll out. Samsung's global deployment includes training for every employee. For a smaller business, that looks like a clear session covering what the tool is for, what data stays out of it, and who to ask if something is uncertain. That is not a large-company requirement. It is what keeps the 2023 scenario from repeating at a smaller scale.
The Atlacis view
Most of the business owners we speak with are closer to 2023 Samsung than they realize. Employees are using AI tools. Some of those tools have access to data the owner would not want leaving the building. The policy covering what goes into AI tools either does not exist or was written once and has not been reviewed since. The Samsung arc is not a story about a large company doing something that smaller businesses cannot replicate. It is a story about the order of operations: governance before deployment, policy before access, training before company-wide rollout. The enterprise-grade tools Samsung is deploying in 2026 are available to businesses of any size. What determines whether they are safe to use is not the tools themselves. It is whether the organization has defined the data boundaries around them and built the access controls before employees start using them at scale. If you are not sure what AI tools your employees are currently using, or what data is going into them, that is where the work starts. Understanding that picture before the next AI rollout decision is more useful than choosing between models.
The short version
- In April 2023, Samsung employees uploaded proprietary semiconductor code and internal meeting notes to ChatGPT. Samsung banned all generative AI tools in response.
- In June 2026, Samsung announced one of OpenAI's largest ever enterprise deployments: ChatGPT Enterprise and Codex to all employees in South Korea and all Device eXperience Division employees worldwide.
- Samsung is also deploying Google Gemini Enterprise and Anthropic Claude alongside ChatGPT, building a multi-vendor AI stack across the organization.
- ChatGPT Enterprise does not train on business customer data and includes data protection, user access management, and security controls the consumer version did not offer in 2023.
- The three-year gap between ban and deployment represents the time needed to build the governance layer that should have been in place before employees ever had consumer tool access.
- The practical sequence: audit what AI tools employees are already using, define a data handling policy, deploy enterprise-grade tools with access controls, and train before rollout.