Skip to content

The 31 OpenAI security checks Black Cat runs

Black Cat SSPM evaluates 31 security policies against your OpenAI configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

highStale API Key

Delete stale OpenAI API keys that have not been used recently

mediumAPI Key Non-User Owner

Review OpenAI API keys owned by service accounts and ensure each has a documented purpose

mediumAdmin Key Sprawl

Consolidate OpenAI admin API keys to the minimum required and delete unnecessary ones

highStale Admin Key

Delete stale OpenAI admin API keys that have not been used recently

highAdmin Key Non-User Owner

Reassign OpenAI admin API keys owned by service accounts to user accounts for accountability

mediumExcessive Organization Owners

Reduce OpenAI organization owners to 2-3 by demoting unnecessary owners to lower roles

highOwner Redundancy Missing

Promote a second trusted member to Owner in the OpenAI organization for redundancy

lowInactive User

Remove inactive OpenAI organization members who no longer require access

lowDisabled User Not Removed

Remove disabled OpenAI users from the organization after confirming no active API keys remain

lowExcessive Service Accounts

Delete unnecessary OpenAI service accounts from projects with excessive service account counts

mediumExcessive Project API Keys

Revoke unused or duplicate OpenAI project API keys to reduce key sprawl

mediumProject With Only Service Accounts

Assign at least one human user as administrator to OpenAI projects owned only by service accounts

lowOrphaned Service Account

Delete OpenAI service accounts that are no longer associated with an active project

mediumStale Service Account

Rotate credentials or delete stale OpenAI service accounts that have not been active recently

lowEmpty Group

Remove OpenAI groups that have no members

mediumGroup Not SCIM-Managed

Bring manually managed OpenAI groups under SCIM management to reduce drift

lowStale Expired Invite

Remove expired OpenAI invites that are still present

highInvite Grants Owner Role

Verify pending OpenAI invites that grant the owner role are intentional

lowStale Pending Invite

Resend or revoke OpenAI invites that have been pending too long

mediumOverpermissive Custom Role

Reduce permissions on overpermissive OpenAI custom roles to follow least privilege

lowUnused Custom Role

Delete OpenAI custom roles that have no user assignments

audit

infoSensitive Audit Event

Investigate sensitive OpenAI audit events and revoke access if the action was unauthorized

configuration

mediumProject Without Rate Limits

Configure rate limits on OpenAI projects that have no usage restrictions

mediumActive Project Without Users

Assign responsible users to active OpenAI projects that have no members or archive them

mediumUsage Anomaly

Investigate OpenAI usage anomalies and set rate limits or spending caps to prevent recurrence

mediumExcessive API Request Volume

Implement OpenAI project-level rate limits for users with abnormally high API request volumes

lowDisproportionate Output Tokens

Investigate OpenAI users generating disproportionate output tokens for potential data extraction

highCertificate Expiring Soon

Renew or replace the OpenAI certificate before it expires

mediumInactive Certificate

Activate or remove inactive OpenAI certificates so mTLS is enforced

lowCertificate Without Project Scope

Scope organization-wide OpenAI certificates to specific projects

mediumUsage Category Anomaly

Investigate OpenAI usage categories spiking far above their average

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial