First, I personally do not disagree with you, to me it makes sense to have a user tier that cannot add new members.
But it does appear that this is not a completely unheard of system—but neither are your complaints about it unheard either.
At the end of the day, the best information we have is that this is a deliberate decision by OpenAI—it’s not a bug, it’s a feature.
If this type of permission structure doesn’t work for you, that’s understandable. Not every product is going to perfectly fit the needs of every person or company.
You raise two issues,
- Malicious actors are provided an unauthorized access vector to Custom GPT knowledge via every member.
Presumably, this is not a new vulnerability. Every member already has access to the Custom GPT knowledge, right? So there are no new vectors here.
- Malicious or non-malicious actors can generate unauthorized billing costs by inviting new members, even outside the range of baseline seats.
This is true. But, my understanding of the thinking is that the fact everyone in your organization is an entity known to you, that you have other recourses available to you.
If they’re a malicious employee, they can be fired and sued by you. If someone accidentally adds 100 seats, it’s maybe an expensive learning experience.
At some point you need to be responsible for who you trust. If you own a restaurant you need to trust your chef isn’t going to poison the guests. If you own a party planning company, you need to trust your employee isn’t going to order 100,000 custom invitations instead of 100. There are all sorts of ways employees can cost businesses lots of money intentionally or not. Early in my own career I made a huge blunder that cost the company I worked for a lot of money.
Could OpenAI restructure the product so that you don’t need to trust your employees and coworkers at all, or so the potential damages are much less? Probably. Should they? I don’t know.
You wrote,
That’s not true. You wrote just a bit earlier that,
So that’s at least one other option, though I understand why you may not like it.
At the end of the day though this is the product. I encourage you to reach out to https://help.openai.com though with your concerns, maybe they’ll change course and modify the permission structure.
You’ve already gotten one direct response from an OpenAI representative stating the permission structure is by design.
Honestly, while I do absolutely see the risks inherent in the current system, I do think the likelihood of some type of catastrophic accident or abuse is vanishingly small.
But, I do hope you find a resolution that sits with you. And, again, I also wish they had a permission structure more in line with what you’re proposing.