OpenAI Updates & Release Notes

Helping people understand the origin of AI-generated content through Content Credentials, SynthID, and an early public verification tool

People are using OpenAI’s tools everyday to create and edit images and audio in ways that make communication more expressive, useful, and accessible. As these tools become a part of how people build, imagine, and share, it’s important that people can understand and verify where the media comes from so they can interpret it with more confidence. Provenance signals can help by giving people context about where content came from, how it was created or edited, and whether it is what it claims to be.

Today we’re strengthening our approach to content provenance with a multi-layered, ecosystem-driven model to building trust online. We are making our provenance signals easier for other tools and platforms to recognize through C2PA conformance, adding durable cross-platform SynthID watermarking to images through a partnership with Google, and sharing a preview of a tool the public can use to verify whether images came from OpenAI.

Together these updates build on our earlier work⁠ to support open standards, make OpenAI-generated content easier to identify, and collaborate across the industry to support a more trustworthy information ecosystem.

Building the trust ecosystem through C2PA conformance

OpenAI has been engaged in the development and adoption of provenance standards since 2024, when we began adding Content Credentials to images generated by DALL·E 3⁠ (opens in a new window) and later to ImageGen⁠ (opens in a new window) and Sora⁠ (opens in a new window). We also joined the Steering Committee of the Coalition for Content Provenance and Authenticity (C2PA), the cross-industry group behind the open technical standard for content provenance. C2PA’s technical approach uses metadata and cryptographic signatures to help information about a piece of media securely travel with the content itself. This information includes context that helps journalists evaluating a source, platforms making integrity decisions, and people trying to understand what they are seeing online.

We recently took the step of making OpenAI a C2PA Conforming Generator Product⁠ (opens in a new window). By becoming C2PA conformant, we are giving platforms a trusted way to read, preserve, and pass along the provenance information we attach to our content. This matters because provenance only works if it survives beyond the first platform where content is created, and conformance makes that possible.

A multi-layered approach to provenance with Google SynthID for images

C2PA metadata is an important foundation for provenance. It helps content carry information about where it came from, how it was created or edited, and who signed that information. But metadata is not foolproof. It can be stripped, lost through uploads and downloads, or broken by transformations like file format changes, resizing, or screenshots.

To make provenance more resilient, we are taking a multi-layered approach and incorporating watermarking through Google DeepMind’s SynthID⁠ (opens in a new window), starting with images generated through ChatGPT⁠, Codex, or the OpenAI API. SynthID embeds an invisible watermarking layer that complements C2PA metadata-based approaches.

We’ve been building toward this for some time. We have used visible watermarks⁠ in Sora and an audio watermark⁠ in Voice Engine, and have continued to test and research accuracy and reliability over time. through deployment.

These two systems reinforce each other. C2PA helps content carry detailed context; SynthID helps preserve a signal when metadata does not survive. Watermarking can be more durable through transformations like screenshots, while metadata can provide more information than a watermark alone. Together, they make provenance more resilient than either layer would be on its own.

Detection and a preview of our public verification tool

Trusted metadata and watermarks that resist most modifications can make provenance signals more durable. But people need a way to detect these signals. We are now previewing a public verification tool⁠ that will help people verify whether an uploaded image was generated on ChatGPT, the OpenAI API, or Codex, by checking if it contains provenance signals, including Content Credentials and SynthID.

We believe provenance should be easier for people to verify and interpret, and that our tool can help people play a role in answering the question, “Was this generated with AI?” by integrating multiple signals. This builds on learnings from the initial research preview of our image detection classifier⁠ in 2024 and enables people to reliably detect whether a SynthID watermark originating from OpenAI is present in the media, as well as surface C2PA metadata when it is found.

No detection method is foolproof, so we take a cautious approach in cases when detection fails. If no metadata or watermark is detected, for example, the tool will not make a definitive conclusion about whether the image was generated with OpenAI tools since provenance signals can in some cases be stripped.

At launch, the tool is limited to content generated by OpenAI. In the upcoming months, we aim to support cross-industry efforts to make verification possible across platforms. Over time, we also expect to support more types of content that people may encounter online.

Looking ahead

No single provenance technique is enough on its own. We believe a strong approach combines shared standards, durable watermarking signals, and public verification. By building on our long-standing support for Content Credentials, becoming conformant with C2PA, adopting SynthID, and previewing public verification tooling, we hope to contribute in the long run to a more interoperable provenance ecosystem.

Original source

Today we’re releasing a preview of a new personal finance experience in ChatGPT to Pro users in the U.S. Now you can securely connect your financial accounts, see a dashboard of where your money is going, and ask ChatGPT questions grounded in your financial context – all while staying in control of your data. We’re starting with a preview to a smaller group so we can learn from real-world use, improve the experience, and expand thoughtfully.

Money touches nearly every part of life: where we live, what decisions we make, how we care for loved ones, what future we imagine. But managing finances today often means piecing together accounts, apps, cards, loans, and spreadsheets just to know where things stand. Even then, it can be hard to see the full picture or know what to do next.

People are already turning to ChatGPT for help: more than 200 million people come to ChatGPT⁠ every month for budgeting, questions about their investments, comparing different paths, planning for future goals, and more. Recent advances in GPT‑5.5 make ChatGPT stronger at reasoning through the complex, context-dependent questions that personal finance often requires.

With your financial accounts connected, ChatGPT can combine that reasoning with your real financial context and what you’ve shared about your goals, lifestyle, and priorities, helping you spot patterns, understand tradeoffs, and plan for big decisions in a way that feels more personal and complete. Now you can ask questions like:

ChatGPT can help you stay informed and feel more confident managing your finances, but it is not a replacement for professional financial advice.

Starting today, we’re rolling out the ability for Pro users in the U.S. to connect their financial accounts in ChatGPT on web and iOS, with support for more than 12,000 financial institutions. We’ll learn and improve from early use before rolling it out to Plus, with the goal of making it available to everyone.

How to get started

Connect your financial information

To get started, open Finances from the sidebar in ChatGPT and select ‘Get started’ or start a conversation from anywhere in ChatGPT by saying ‘@Finances, connect my accounts’.

ChatGPT will then guide you through securely linking accounts through Plaid, with Intuit support coming soon. After you authenticate, ChatGPT will begin syncing and categorizing your data, which may take a few minutes.

Once your accounts are synced, you can see a dashboard that gives you an up-to-date view of where you stand across portfolio performance, spending, subscriptions, upcoming payments, and more.

Beyond connected accounts, you can share important context about your financial life, like a mortgage, a savings goal, or a major purchase you’re planning for. For example, you might tell ChatGPT: “I’m saving up to buy a car early next year” or “I still owe my parents [X amount] for the loan they gave me.” ChatGPT can save that context to your Financial memories to inform future conversations.

That broader context is part of what makes this experience useful – instead of treating each question in isolation, ChatGPT can help connect the dots across your accounts, your goals, and what you’ve already shared, so the guidance is more personal and complete.

Without Finances connected

Help me come up with a plan to save a little bit more in the next few months.

Here’s a practical way to save a bit more over the next 2–3 months without making your life miserable.

1. Pick a specific target
   Make the goal concrete and time-bound.
   Examples:
   • “Save an extra $1,500 by August.”
   • “Build a one-month emergency cushion.”
   • “Save enough for travel / taxes / moving / investing.”
   A vague goal like “spend less” usually fades quickly.

2. Focus on the 3 highest-impact categories
   Most people don’t need to optimize everything. Usually 70–80% of extra savings comes from a few categories:
   Food & delivery
   Good targets:
   • Reduce takeout from 5x/week → 2x/week
   • Bring coffee/lunch a few days per week
   • Set a fixed “fun food” budget
   Even a small reduction here can free up a few hundred dollars monthly.
   Subscriptions & recurring charges
   Look for:
   • Duplicate streaming/services
   • Annual plans you forgot about
   • Apps you rarely use
   • Higher-tier plans you don’t need
   A 20-minute cleanup can permanently lower monthly burn.
   Impulse spending
   Instead of “don’t buy stuff,” use friction:
   • 48-hour rule for purchases over a set amount
   • Remove saved cards from shopping apps
   • Keep a running wishlist instead of instant purchases
   This cuts emotional purchases without feeling restrictive.

3. Automate the saving immediately
   The biggest difference-maker is usually automation.
   Try:
   • Automatic transfer every payday
   • Separate high-yield savings account
   • Move the money before you see it
   Even:
   • $75/week = ~$900 in 3 months
   • $150/week = ~$1,800 in 3 months
   Small consistent transfers beat occasional big efforts.

4. Create one “low-spend default”
   Don’t try to optimize every decision.
   Examples:
   • Weeknights = home-cooked meals
   • One no-spend day per week
   • Fixed entertainment budget
   • Only one convenience purchase category at a time
   Simple rules reduce decision fatigue.

5. Increase income slightly instead of only cutting
   For a short-term savings push, earning a little extra is often easier psychologically than aggressive budgeting.
   Ideas:
   • Sell unused gear/clothes/electronics
   • Freelance or consulting work
   • Small weekend project
   • Negotiate a recurring expense (insurance, internet, phone)
   Even an extra few hundred dollars changes momentum fast.

6. Track only one number weekly
   Avoid overcomplicated budgeting systems.
   Every week, check:
   “How much did my savings increase this week?”
   That keeps attention on progress rather than guilt.

A realistic “light effort” version
If you want something sustainable and low-stress:
Monthly
• Cut 2–3 subscriptions
• Reduce dining out modestly
• Auto-transfer savings on payday
Weekly
• One no-spend day
• One meal-prep session
• Quick 5-minute money check-in
That alone can often create an extra few hundred dollars/month without dramatic lifestyle changes.
If you want, I can also help you build:
• a lean 3-month savings plan,
• a category-by-category budget,
• or a “minimal pain” version based on your current spending habits.

With Finances connected

@Finances Help me come up with a plan to save a little bit more in the next few months.

I’ll look at recent spending, recurring charges, and cash-flow patterns, then turn that into a practical “save a little more” plan rather than a harsh budget.

Here’s the plan I’d use for the next few months. May is still early, so I’m anchoring this mostly on February–April plus the May-to-date spending.
At a $110K salary, the goal is not to make life feel overly restricted. It’s to create more consistency across normal spending categories so saving happens before the month gets away from you.
Your biggest flexible spending levers recently are:

Area | Feb 1–May 9 spend | What it suggests
Groceries & household | ~$2,150 | Normal, but worth tightening with a weekly target
Shopping | ~$1,250 | Good opportunity, especially Target/Amazon/clothing runs
Transportation | ~$1,450 | Gas, parking, rideshare, and car costs add up
Dining & drinks | ~$1,620 | Very actionable without cutting it entirely
Subscriptions & bills | ~$420 | Small, but easy cleanup

Target: save an extra $500–$750/month

I would not start by trying to eliminate every small pleasure. Your biggest wins are dining, shopping, transportation, and grocery pacing.

1. Dining: cap at $450/month
   Dining has been one of the easiest places for spending to drift. I’d set a realistic cap of $450/month, which still leaves room for takeout, coffee, and a few meals out.
   Expected savings: $150–$250/month.
   Use a simple rule: pick 2–3 meals out per week, then default to groceries for the rest.

2. Shopping: cap at $300/month
   Shopping is not extreme, but it’s the kind of category that can quietly turn into $500–$700 months through Amazon, Target, clothes, and household extras. I’d set a $300/month cap through August.
   Expected savings: $150–$250/month.
   Use a simple rule: anything over $75 waits 24 hours before buying.

3. Transportation: set a monthly ceiling
   Between gas, parking, car maintenance, and occasional rideshare, transportation can become a bigger budget item than it feels in the moment. I’d set a $400/month transportation target, excluding true emergencies or required repairs.
   Expected savings: $100–$200/month.
   The rule I’d use: rideshare is for late nights, bad weather, carrying things, or when it saves 25+ minutes. Otherwise default to driving, walking, transit, or planning ahead.

4. Groceries: use a weekly target, not a strict diet
   Groceries and household basics are necessary, so I wouldn’t treat this as “bad spending.” But I would set a weekly grocery target of about $125–$150 and try to avoid extra midweek convenience runs.
   Expected savings: $100–$150/month.

5. Subscriptions: small cleanup only
   The recurring charges are not where the big money is, but they’re still worth checking: streaming, apps, news, fitness, cloud storage, and memberships. Canceling one or two might save $20–$50/month. Useful, but not the main plan.

The monthly savings formula

For June–August:

Lever | Monthly target
Dining cap | +$200
Shopping cap | +$200
Transportation ceiling | +$150
Grocery pacing | +$125
Subscription cleanup | +$30
Total potential | ~$705/month

To make it stick, I’d automate $500/month to savings first. Then treat the extra $200–$250 as the stretch goal when dining, shopping, or transportation comes in lighter.

Best version of the plan: auto-save $500/month, cap dining at $450, cap shopping at $300, set a transportation ceiling, and use weekly grocery targets so the plan feels realistic instead of restrictive.

From answers to action, with ecosystem partners like Intuit

The vision for ChatGPT is to go beyond answering questions to help users take action towards improving their financial lives, and we’re working with trusted ecosystem partners like Intuit to do this. For example, a user could go from getting a credit card recommendation to understanding their approval odds and submitting an application, or from asking about tax implications of a stock sale to getting a trusted tax estimate and scheduling a session with a live, local tax expert, powered by Intuit and all inside ChatGPT.

Keeping your information private and secure

Your financial data is sensitive, and we have built this experience to respect your privacy and ensure that you’re in control of your information.

When you connect your accounts, ChatGPT can access your balances, transactions, investments, and liabilities to help visualize your finances or answer your questions. It cannot see full account numbers or make any changes to your accounts.

Your conversations with connected financial accounts follow the same model training settings you choose across ChatGPT. You can change this setting anytime in Settings > Data controls⁠.

You are always in control of your information:

• Disconnecting accounts: You can disconnect your financial accounts at any time in Settings > Apps > Finances, or from the Finances page. Once disconnected, your synced account data will be deleted from OpenAI’s systems within 30 days. Disconnecting an account will not affect financial information in your ChatGPT conversation history, but you can delete individual conversations at any time.
• Deleting financial memories: ChatGPT can remember key details you share, like goals, obligations, or context about your money, to make future financial conversations across ChatGPT more relevant and personalized. These are saved as financial memories, a dedicated type of memory used specifically to inform financial conversations. You can view or delete them at any time from the Finances page.
• Temporary chats: When you use temporary chats, ChatGPT won’t access your connected financial accounts. Temporary chats will not appear in your history.

To further secure your ChatGPT account, you can enable multi-factor authentication (MFA)⁠, which adds an extra layer of protection to help prevent unauthorized access.

Designed and evaluated for accuracy and quality

Conversations with connected financial accounts default to GPT‑5.5 Thinking, our latest reasoning model in ChatGPT.

Financial questions are personal, complex, and highly context-dependent. A helpful response needs to account for someone’s income, spending, balances, debts, goals, and timing, while being clear about uncertainty, assumptions, and when more information is needed.

To better understand how well ChatGPT serves people in these moments, we built an internal benchmark that helps us evaluate response quality holistically based on criteria developed with experts. We worked with over 50 finance professionals across leading institutions to evaluate this experience and grade ChatGPT’s performance on challenging personal finance tasks.

GPT‑5.5 Thinking outperforms earlier models on complex personal finance tasks. GPT‑5.5 Pro, available for people on ChatGPT Pro, achieves the best overall performance.

This benchmark gives us a clearer way to measure progress, and we will continue to improve how ChatGPT handles complex personal finance tasks over time.

What our ChatGPT Pro community testers are saying

“Connecting my finances in ChatGPT helped me figure out how to pay off our mortgage with a realistic monthly plan I could actually follow.”
—Richard K. Sohn, PsyD, psychologist

Original source

People come to ChatGPT every day to talk about what matters to them—from everyday questions to more personal or complex conversations. Across hundreds of millions of interactions, some of these conversations include people who are struggling or experiencing distress. We design our systems to respond carefully in these moments, including by providing crisis resources and connecting people with someone they trust⁠ when needed.

Today, we’re sharing new details about safety updates that help ChatGPT better recognize when risk may be emerging over time by identifying subtle or evolving cues, and using that context to inform safe responses. This helps ChatGPT distinguish between the hundreds of millions of safe interactions people have every day and the much rarer cases where added caution is needed, so it can respond more carefully—for example, by de-escalating, refusing harmful details, or redirecting toward safer alternatives.

These improvements build on years of extensive work⁠ across model training, evaluations, monitoring systems, and more than two years of collaboration with mental health and safety experts.

Why context matters in sensitive conversations

In sensitive conversations, context can matter as much as a single message. A request that appears ordinary or ambiguous on its own may carry a very different meaning when viewed alongside earlier signs of distress or possible harmful intent. To respond appropriately, we train ChatGPT to recognize the potential harmful intent from the surrounding context so that it can refuse the request, de-escalate, and guide the user toward support.

These cases are uncommon, but critically important to get right. Our goal is to help ChatGPT connect relevant signals when they matter without overreacting in ordinary conversations.

We focused this work on acute scenarios including suicide, self-harm, and harm-to-others. Working with mental health experts, we updated our model policies and training to improve ChatGPT’s ability to recognize warning signs that emerge over the course of a conversation and use that context to inform more careful responses.

In these rare, high-risk situations, ChatGPT can better distinguish between benign requests and those that may signal a higher risk of harm. This builds on our safe completion approach⁠, which is designed to refuse unsafe parts of a user request, and respond cautiously where it can safely do so. The goal is to help the model respond more appropriately to context, escalating caution when signals of harm emerge within conversations, while continuing to respond helpfully in benign situations.

Improving safety across conversations

Some safety risks can emerge across separate conversations. One conversation may include subtle signs of potentially harmful intent and then another may include related requests that only trigger concerns when understood in combination with the prior context. Without that safety-relevant context, the later conversation – and potentially important warning signs – may appear benign.

Building on our longstanding work to strengthen ChatGPT’s ability to recognize these signs of distress, we developed safety summaries: short, factual notes about earlier safety-relevant context that may matter in rare, high-risk situations. These summaries are created by a model trained for safety reasoning tasks and are narrowly scoped, kept only for a limited time, and used only when relevant to a serious safety concern. They are designed to capture factual safety context, not to serve as general personalization or long-term memory. Like we discussed above, we also trained ChatGPT to use this context more carefully, so it can better recognize when added caution is needed and respond appropriately – for example by de-escalating, refusing to provide details, or redirecting toward safer alternatives.

Working with mental health experts

We developed these systems with input from mental health professionals in our Global Physicians Network⁠, including psychiatrists and psychologists with expertise in forensic psychology, suicide prevention, and self-harm.

These experts helped inform decisions around when safety summaries should be created, how much prior context may be relevant, and how long the model should consider that context when responding. Their input helped ground this work in real-world expertise and support more appropriate responses in sensitive situations.

Measuring improvement

These updates help ChatGPT better recognize patterns of potentially harmful intent both within and across conversations. When concerning signals emerge gradually, the model is better able to identify the pattern and respond more safely.

In internal evaluations specifically designed to measure performance in challenging cases, these updates significantly improved safe responses in scenarios where risk became clearer over time. These tests measured how often the model gave the intended safe response in conversations designed to emulate high-risk situations.

In long single-conversation scenarios, the safe-response performance improved by 50% in suicide and self-harm cases, and by 16% in harm-to-others cases. This means the model was substantially more likely to recognize when earlier parts of the conversation changed the meaning of a later request and respond appropriately.

We also tested performance across multiple conversations and multiple models to help ensure these improvements remain effective as models evolve. On GPT‑5.5 Instant, the current default model in ChatGPT, the safe-response performance improved by 52% in harm-to-others cases and by 39% in suicide and self-harm cases.

We also evaluated the quality of the safety summaries themselves. Across more than 4,000 evaluations, they received an average safety relevance score of 4.93 out of 5 and a factuality score of 4.34 out of 5, indicating they were generally accurate and focused on the most important safety context.

Finally, we tested whether adding this safety context reduced quality in ordinary conversations. In our internal testing, responses remained broadly comparable in everyday chats, with no meaningful user preference between responses with or without safety summaries.

Looking ahead

Helping AI systems recognize risk that only becomes clear over time is a difficult, long-term challenge. Signals can be subtle, spread across messages, or buried within otherwise ordinary conversations. We will continue improving ChatGPT’s ability to identify those rare but important moments and respond appropriately.

Today, this work focuses on self-harm and harm-to-others scenarios. In the future, we may explore whether similar methods can help in other high-risk areas such as biology or cyber safety, with careful safeguards in place. This remains an ongoing priority, and we will continue strengthening safeguards as our models and understanding evolve.

Read more about our safety and mental health work:

• Our Commitment to Community Safety⁠
• Introducing Trusted Contact in ChatGPT⁠
• Strengthening ChatGPT’s Responses in Sensitive Conversations⁠

Original source

Codex is coming to your phone. Now in preview in the ChatGPT mobile app.

Codex is now in the ChatGPT mobile app so you can stay in the loop from anywhere while Codex gets work done across your laptops, devboxes, or remote environments.

As agents take on longer-running work, a new rhythm for collaboration is emerging. To keep work moving, you need to be able to easily answer a question, review what Codex found, change direction, approve what comes next, or add a new idea.

More than 4 million people now use Codex every week, and we’re seeing how much those small moments matter. A quick check-in can keep a thread moving, prevent unnecessary rework, or help Codex make progress with the right context. Now you can do that from your phone.

Stay connected to active work from anywhere

Codex in the ChatGPT mobile app is a fully-featured mobile experience for getting work done with Codex. When you connect to any of your machines where Codex is running (whether that’s your laptop, a dedicated Mac mini, or a managed remote environment), the app loads the live state from that environment so you can work fluidly across active threads, approvals, plugins, and project context.

This is more than the ability to remotely control a single task or dispatch new tasks to your computer. From your phone, you can work across all of your threads, review outputs, approve commands, change models, or start something new. Your files, credentials, permissions, and local setup stay on the machine where Codex is operating, while updates flow back to your phone in real time, including screenshots, terminal output, diffs, test results, and approvals.

Under the hood, Codex uses a secure relay layer that keeps trusted machines reachable across devices without exposing them directly to the public internet. That relay also keeps active session state and context synced anywhere you’re signed in with ChatGPT.

Step in when it matters

As Codex handles work over longer stretches, timely guidance becomes a bigger part of keeping that work useful. From your phone, you can start work when it is top of mind, unblock it when your judgment is needed, and stay close to the result as it takes shape.

With Codex in your pocket, now you can:

• Start investigating a bug while waiting for your coffee. Because Codex is running from your development environment, it can begin inspecting the relevant files, reproduce the issue in the browser, run tests, and begin working toward a fix. If Codex needs clarification or permission to continue, you can answer or approve from your phone. And as it works, you can follow along with screenshots, terminal output, test results, and eventually review the resulting diff before you are back at your computer.
• Reach a decision point during your commute. Before leaving for the office, you ask Codex to take on a refactor that will need time to work through, expecting to review the result when you get to your desk. Mid-commute, Codex finds two viable approaches and needs your direction before it can continue. From your phone, you review the tradeoffs, choose a path, and by the time you arrive, the task has kept moving in the direction you wanted.
• Head into a fast-moving customer conversation better prepared. You come out of back-to-back meetings to find a support issue evolving across Slack, email, documents, and browser-based tools, with a customer call coming up next. From your phone, you ask Codex to synthesize the latest updates, flag the key open questions, and prepare a concise briefing for the conversation. If new details come in, you can ask Codex to refresh the summary before you join.
• Turn a new idea into forward motion while it is still fresh. Whether you are at lunch, out for a walk, or listening to something that sparks a thought, you can send it to Codex from your phone by starting a new thread or adding it to active work. The task can begin taking shape before you return to your desk, without pulling you fully out of the moment that sparked it.

Run Codex in enterprise environments

Many teams already develop inside managed remote environments that provide approved dependencies, credentials, security policies, and compute resources.

With Remote SSH now generally available, Codex can connect directly into those environments. The desktop app automatically detects hosts from your SSH configuration and lets you create projects and run threads inside remote machines just like you would locally.

Once connected, those environments can become accessible across your authorized ChatGPT devices through the same secure relay infrastructure. That means you can start work on your desktop, steer execution from your phone, and keep long-running tasks moving without staying tied to a single machine.

We’re also releasing several updates that expand how teams can automate, customize, and manage Codex at scale:

• Programmatic access tokens provide scoped credentials that can be issued directly from ChatGPT workspace settings for CI pipelines, release workflows, and internal automations.
• Hooks (opens in a new window) are now generally available and can be used to scan prompts for secrets, run validators, log conversations, create memories, or customize Codex behavior for specific repositories and directories.
• Support for HIPAA-compliant use of Codex in local environments (CLI, IDE, App) for ChatGPT Enterprise workspaces, enabling healthcare organizations to support patient care and operational workflows with greater speed and confidence.

Availability

Codex in the ChatGPT mobile app is rolling out in preview on iOS and Android across all plans, including Free and Go, in all supported regions. Update the ChatGPT mobile app and the Codex app on macOS to try it out. Support for connecting your phone to the Codex app on Windows is coming soon.

Remote SSH and Hooks are available on all plans as well. Programmatic access tokens are available on Enterprise and Business plans. HIPAA-compliant use is supported for eligible ChatGPT Enterprise workspaces only when Codex is used in local environments.

Original source

When I joined the Codex engineering team in September 2025, Codex for Windows didn’t have a sandbox implementation meaning that Windows users were forced to choose between two subpar options when using OpenAI's coding agents:

1. Approving nearly every command (even reads) that a coding agent wanted to run, which is inefficient and pesky. A major benefit of using Codex is that you don’t have to do all the tedious work yourself.
2. Enabling Full Access mode: letting Codex run all commands without approval or restrictions, which removes friction at the expense of oversight.

Codex, our coding agent, runs on developer laptops—whether that's through the CLI, the IDE extension, or the desktop app. It manages a conversation between a human at a keyboard and a model running in the cloud to handle inference.

Codex runs with the permissions of a real user by default, meaning it can do everything the user can do. This is powerful and potentially dangerous. The coding model may tell the harness to run commands locally, from running tests to reading or editing a file to creating a Git branch, so Codex's default mode attempts to find the right balance between effectiveness and safety. This default mode allows Codex to read files almost anywhere and write files within your workspace (i.e., the directory where you're running Codex), with no internet access unless you specify you want it. To achieve this automatic constraint of writing files and accessing the network within safe bounds, Codex needs a sandbox environment that actually enforces these constraints.

A sandbox is a constrained execution environment. When a developer uses Codex, their computer's operating system launches a command with reduced permissions, and those constraints propagate down the process tree. Every Codex command is sandboxed from the start, and every descendant process stays inside the same boundary.

Codex needs isolation features enforced by the computer's operating system to implement an effective sandbox. Some operating systems provide utilities that do this well (e.g., Seatbelt on MacOs, seccomp or bubblewrap on Linux); however, Windows doesn't currently provide this type of capability out of the box.

To make Codex just as safe and delightful to use on Windows as it already is everywhere else, we needed to implement our own sandbox.

Where existing Windows tools fell short

Windows offers some tools and primitives for isolation. While none of them quite met our requirements, we looked at a number of potential solutions—namely, AppContainer, Windows Sandbox, and Mandatory Integrity Control labeling.

AppContainer

• What: AppContainer is the native Windows sandbox, a capability-based isolation model built for apps that know, up front, exactly what they need to access.
• Why: Appealing because it offers a real OS boundary instead of best-effort restrictions.
• Why not: Codex is not one tightly scoped app. It drives open-ended developer workflows: shells, Git, Python, package managers, build tools, and whatever other binaries the agent decides it needs. In practice, that made AppContainer the wrong shape for the problem. It was strong isolation, but for a much narrower class of workloads than “let an agent operate like a developer.”

Windows Sandbox

• What: Windows Sandbox is Microsoft’s disposable lightweight VM. You get a fresh Windows desktop with a strong isolation boundary, and whatever you do inside it disappears when the session ends.
• Why: Interesting for obvious reasons—far more compatible with arbitrary software than AppContainer, and from a security perspective it's a much stronger box.
• Why not: Codex needs to act directly on the user’s actual checkout, tools, and environment, not inside a separate throwaway desktop that would need setup and host/guest bridging. It also had a fundamental product problem: Windows Sandbox isn't even available on Windows Home SKUs.

Mandatory Integrity Control (MIC) integrity labeling

• What: Windows has a concept called “integrity levels,” such as low, medium, and high, that determine how much the system trusts objects and processes. The basic rule is that a lower-integrity process cannot write to an object with a higher integrity level, even if the normal ACL would otherwise allow it. For example, a low-integrity process is treated as less trusted, so Windows blocks it from writing to normal medium-integrity objects, unless those objects are explicitly relabeled to allow it.
• Why: MIC looked elegant on paper—run Codex at low integrity, relabel the writable roots as low integrity, and let Windows enforce no-writes everywhere else. That would've given us a non-admin path with a real OS mechanism behind it.
• Why not: Like ACLs, integrity labels modify the real host filesystem, and in this case the semantic change is especially broad. Marking a workspace as low integrity does not just mean “Codex can write here.” It means low-integrity processes in general can write there. On a real developer machine, that turns the user’s actual checkout into a low-integrity sink for the host, which is much riskier than granting carefully targeted ACLs to one sandbox design. Even if medium-integrity developer tools continue to work, the underlying trust model of the workspace has changed in a way that's hard to contain and harder to justify.

Having evaluated all of the options as non-starters, we started designing our own solution to bring a good Codex experience to Windows users.

The first prototype: the "unelevated sandbox"

Our first working prototype used a combination of Windows concepts and tools to implement the isolation we needed. From the beginning, one goal was to make this work without requiring elevation, meaning that Codex would not need to prompt the user for administrator privileges just to set up or run the sandbox. That meant figuring out how to put reasonable limits on two things: file writes and network access.

Limiting file writes

If we didn't limit file writes at all, we'd have a safety issue. If we limited file writes too much, the sandbox would hurt user productivity, needing to ask for constant approval. To solve this problem, we relied on two important Windows building blocks: SIDs and write-restricted tokens.

SIDs let us give the sandbox an identity

A SID, or security identifier, is the identity Windows ties to permissions. Each user has a SID, groups have SIDs, and even a single login session gets its own SID. For example, a current logged-in session might have a SID like S-1-5-5-X-Y. The SID assigned to the local administrators group might be S-1-5-32-544.

Windows also lets you create synthetic SIDs that don't correspond to a real user but can still appear in ACLs (access control lists), which define who can read/write/execute specific files or directories. That makes SIDs a useful primitive for our sandbox: we can create SIDs exclusively for the Codex sandbox to use, without interfering with anything else on the machine.

Write-restricted tokens limit where Codex can modify files

Process tokens are security objects in Windows that define identity and privileges for a running process. They determine what actions a process can perform. A write-restricted token is a particular type of process token that makes Windows perform an additional access check on write operations.

In order for a write to succeed, two checks must pass:

1. The normal user identity (the token “owner”) must be allowed to do it
2. At least one SID in the token’s restricted SID list must also be granted access

In practice, these checks let us use ACLs to define exactly where the sandbox could modify the filesystem, which offered the granularity we needed around write operations.

With SIDs and write-restricted tokens, our unelevated sandbox worked like this:

1. The sandbox setup created a synthetic SID called sandbox-write.
2. The sandbox-write SID was granted write, execute, and delete access to
   1. The current working directory
   2. Any additional writable_roots configured in config.toml.
3. The sandbox setup explicitly denied that same SID write access to “read-only within writable” locations such as:
   1. /.git
   2. /.codex
   3. /.agents
4. Codex launched commands under a write-restricted token whose restricted SID list includes Everyone, the current logged in session SID, and the sandbox-write synthetic SID.

This flow effectively solved limiting file writes and seemed promising. Now we needed a solution for limiting the sandbox's network access.

Limiting network access

Limiting network access is an important part of the sandbox; without it, malicious code could exfiltrate data from the machine up to the internet. Because we wanted to avoid an elevation requirement, we had limited options to strongly block network traffic. The tools we wanted to use, like Windows Firewall, generally could not be installed without admin permissions.

Without Windows Firewall as an option, we limited what we could control. We tried to make the child environment fail-closed for the kinds of networked tools developers actually use, so that Git commands, package installers, etc., would fail in the sandbox and the user would have to approve any internet-facing operations. The idea was to poison the obvious escape hatches: send proxy-aware traffic to a dead endpoint, make Git’s HTTP(S) transport do the same, and make Git over SSH fail immediately. On top of that, we prepended a small denybin directory to PATH and reordered PATHEXT so stub SSH and SCP scripts would resolve before the real binaries.

For example, here are some of the specific environment overrides we used to limit network access:

• HTTPS_PROXY=http://127.0.0.1:9
• ALL_PROXY=http://127.0.0.1:9
• GIT_HTTPS_PROXY=http://127.0.0.1:9
• NO_PROXY=localhost,127.0.0.1,::1
• GIT_SSH_COMMAND=cmd /c exit 1

That caught a lot of normal tool-driven traffic, but it was still only advisory. A process could ignore the environment, bypass PATH, or just open sockets directly—too risky.

The unelevated approach came with tradeoffs

As with any interesting software implementation, the first prototype had some pros and cons. While it got the job done with only a few standard Windows capabilities, allowed for very explicit and granular filesystem writes, and ran unelevated—cutting the need for users to accept excessive elevation prompts or be admins on their local machine—it had some real drawbacks, some of which disqualified it from becoming our final design:

• Speed of setup: Applying workspace ACLs can be expensive depending on the topology of the workspace directory.
• Footprint: We applied real ACLs to the developer’s system, although the footprint is not particularly invasive because all the applied ACLs pertain to a custom-created synthetic SID that is used only by the sandbox.
• Difficult-to-change semantics: The reliance on ACLs for file-based restrictions means it's expensive and complex to change sandbox semantics. Whereas on macOS, we can dynamically change how we generate the .sbpl file used to configure Seatbelt, the Windows sandbox could require a slow and intense operation to adjust ACLs.
• Network protection is weak. As mentioned before, it was “advisory,” would definitely be circumvented by some programs that implemented their own networking stack, and wasn't designed to hold up to adversarial code.

The first three issues are inherent to a custom sandbox implementation that's flexible enough for agentic flows. The network suppression story was different, though.

Network suppression is too important

In addition to a malicious agent being able to easily circumvent the environment-based network suppression, plenty of good-intentioned code/binaries would also circumvent it simply if they didn’t honor the environment proxy variables, or if they implemented their own socket-based network code. We felt that this aspect was enough to consider investing in a better sandbox mode.

To gain better network suppression, we wanted to use Windows Firewall, which allows us to block outbound network traffic for users or programs. Unfortunately, we couldn't effectively create a functional firewall rule that applied only to the commands spawned by the Codex harness for a few reasons:

• Windows doesn't allow matching a firewall rule to the non-principal identity of a restricted token. This means we couldn't apply a firewall rule to “any token that includes our synthetic SID in its restricted SID list."
• While we could create a firewall rule that matches a specific binary, that only allows us to limit networking for codex.exe itself. It wouldn't apply to the processes that the agent spawns on behalf of the user, like Git or Python processes.
• Other firewall match dimensions were the wrong shape, too. User-scoped rules still matched the real Windows user in the unelevated design, not just the restricted child. Program-path rules were too coarse: they could block codex.exe or python.exe generally, but not this one sandboxed invocation of python.exe. Port- or address-based rules were also the wrong policy entirely. For instance, we didn't want to block port 443; we wanted to block arbitrary outbound access for this specific restricted process tree.

To apply a firewall rule specifically to our sandboxed commands, we needed to run them as a separate principal, not as the “real” user. This approach led us down a new path, one in which we relaxed our “no elevation” constraint.

The redesign: the "elevated sandbox"

The next iteration of the sandbox, which is our current implementation, requires elevated admin permissions at setup time. I therefore refer to it as “the elevated sandbox.” At the boundary where Codex spawns a command on the system, the elevated sandbox looks like the unelevated one. It still runs child processes under a restricted token—similarly a write_restricted token with the same restricted SID list of [Everyone, Logon, Synthetic]—however, the principal of this token is no longer the actual Windows user but one of two local users created by Codex itself:

• CodexSandboxOffline (the one targeted by firewall rules)
• CodexSandboxOnline (the one not targeted by firewall rules)

This seemingly small detail actually has big implications for the sandbox, who can use it, and the complexity of its setup and runtime execution.

It’s visually similar to the unelevated prototype, with the introduction of firewall rules and a dedicated Windows user, which actually runs the commands. (However, the introduction of these new concepts, means that there is more setup work to do before the sandbox can start running and protecting commands.)

We now need a first-class setup step

The unelevated sandbox design had a simple setup step, but it was relatively small:

• Create a synthetic SID if needed
• Apply ACLs for the sandbox-write synthetic SID

The elevated sandbox, however, has more to do.

• Create a synthetic SID, if not already created
• Create the online and offline sandbox users, if not already created
• Store the newly-created users’ credentials locally and encrypt using the Windows Data Protection API (DPAPI) in a place where the sandbox users cannot actually read
• Create firewall rules that block all outbound network access for the CodexSandboxOffline user or, if they already exist, validate they're correct

There's an additional wrinkle in the setup stage. Codex’s sandbox is expected to have read access equivalent to the actual Windows user. In the unelevated sandbox, where the restricted token’s principal SID was the Windows user, this was achieved. However, that doesn't come for free when the principal becomes a new CodexSandbox user. Many relevant directories on Windows will grant read/execute permissions to “Authenticated Users”. One notable example is the user’s profile directory. By default, Windows users cannot read the profile directories of other Windows users, so even simple file reads in many scenarios would fail.

To address this, we added another layer to the sandbox setup process—one for granting read ACLs to the sandbox users where such ACLs might not already exist. For example, to some commonly used Windows directories:

• C:\Users<real-user>
• C:\Windows\
• C:\Program Files\
• C:\Program Files (x86)\
• C:\ProgramData\

Because this list of directories is best-effort and installing ACLs on each one can be quite expensive, we run this logic asynchronously so the sandbox setup step, which is blocking to users, doesn't have to wait for them to complete.

We encapsulated the setup logic in its own binary partly to cross the UAC boundary only when needed. But the deeper reason was architectural: sandbox setup has a fundamentally different job from codex.exe. Keeping the sandbox setup logic in a dedicated binary let codex.exe stay a normal, unelevated harness; kept the Windows-only setup machinery from bloating codex.exe on other platforms; decoupled longer-running setup work from the lifetime of the main process; and gave us one place to handle the different setup paths the sandbox needed.

The command runner is a new binary that actually runs user commands

Because of how Windows user and token login boundaries work, we couldn't continue to create a restricted token and spawn a process under it the way we could with the unelevated sandbox. To actually spawn commands as a different Windows user, our first idea was the following flow:

• codex.exe runs as the real Windows user. Then, in a sequence, Codex:
  • Calls LogonUserW(...) for the sandbox user.
  • Calls CreateRestrictedToken(...) on that sandbox-user token.
  • Using that restricted sandbox-user token, calls CreateProcessAsUserW(...) to launch the final child.

In practice, that desired flow didn't work because of a privilege wall at CreateProcessAsUserW(...). This means codex.exe could create a restricted token for the sandbox user, but it couldn't reliably launch a child with that token from the real-user side of the boundary. We needed a process that was already running as the sandbox user—this would let the restriction step and final spawn happen on the sandbox-user side of the boundary instead of the real-user side.

That requirement led to codex-command-runner.exe, a new binary whose only job is to mint a restricted token and spawn the requested command. Instead of asking codex.exe to do the entire flow itself (real user → sandbox user → restricted token → child process), we split the flow in two:

Part 1

• codex.exe calls CreateProcessWithLogonW(...) to launch codex-command-runner.exe as the sandbox user, without using a restricted token yet.

Part 2

• Inside the runner, OpenProcessToken(GetCurrentProcess(), ...) opens the runner’s own token, which already belongs to the sandbox user.
• The runner calls GetTokenInformation(...) to extract the sandbox logon SID, then CreateRestrictedToken(...) to build the final restricted token.
• Still inside the runner, it calls CreateProcessAsUserW(...) with that restricted token to launch the real child.

Albert Einstein said, “Everything should be made as simple as possible, but no simpler.” In that spirit, our design adequately solved each problem. The final architecture has the four layers we have previously covered:

• codex.exe itself
• codex-windows-sandbox-setup.exe for handling all elevated setup related work
• codex-command-runner.exe for running restricted token commands
• The child process

When I first approached this project, I did not have a strong sense of where it would wind up. My approach was to start by instrumenting the sandboxing capability in the boundary between Codex and the operating system. This approach closely matches how Codex’s sandbox is implemented on MacOs and Linux.

As I learned more about the specific tools that Windows provides, and through dozens of decisions balancing security and ease of use, the system grew to its current form—multiple binaries, custom users, firewall rules, an elevated setup step, asynchronous processes, and more.

It’s not a particularly simple system, but each piece of complexity was added out of necessity, to build a sandbox that is both safe and, as much as possible, not in the user's way.

Balancing safety with actual usefulness

Working to deliver a good user experience for Codex users on Windows, our goal was to make something safe that didn't compromise on usefulness—the whole point of using Codex is to have agents be able to do work without your constant attention.

One of the biggest lessons from this project was that Windows did not hand us one primitive that cleanly maps to “safe autonomous coding agent.” We composed several tools and concepts to build something coherent. Some early ideas were dead ends. The final design was a hybrid of earlier prototypes that each solved part of the problem.

The other lesson was that security for a coding agent is a different beast than more classic application security. Codex has to work for real developer workflows. The engineering work was about balancing compatibility with agentic workloads against real enforcement. That tension shaped tradeoffs in the final design.

Curious to see the Codex sandbox in action? Try it out.

Original source

OpenAI is launching the OpenAI Deployment Company

OpenAI is launching the OpenAI Deployment Company, a new company designed to help organizations build and deploy AI systems they can rely on every day across their most important work.

Successful AI deployment is about empowering people and teams to do more. The OpenAI Deployment Company will extend OpenAI’s ability to embed engineers specialized in frontier AI deployment, known as Forward Deployed Engineers, or FDEs, into organizations working on complex problems in demanding environments. These FDEs will work closely with business leaders, operators, and frontline teams to identify where AI can make the biggest impact, redesign organizational infrastructure and critical workflows around it, and turn those gains into durable systems.

In connection with the OpenAI Deployment Company’s launch, OpenAI has agreed to acquire Tomoro, an applied AI consulting and engineering firm that helps enterprises turn AI into operational advantage. The acquisition will bring approximately 150 experienced Forward Deployed Engineers and Deployment Specialists to the OpenAI Deployment Company from day one.

The OpenAI Deployment Company is a committed partnership between OpenAI and 19 leading global investment firms, consultancies, and system integrators. The partnership is led by TPG, with Advent, Bain Capital, and Brookfield as co-lead founding partners, and B Capital, BBVA, Emergence Capital, Goanna, Goldman Sachs, SoftBank Corp., Warburg Pincus, and WCAS as founding partners.

Investors also include leading consulting and systems integration firms, including Bain & Company, Capgemini, and McKinsey & Company. The Deployment Company will also work closely with and alongside OpenAI’s Frontier Alliance partners and the broader industry to drive AI adoption and change management globally.

The OpenAI Deployment Company is majority-owned and controlled by OpenAI, giving customers a unified experience whether they work with OpenAI, the OpenAI Deployment Company, or both. It will launch with more than $4 billion of initial investment, which it will use to scale operations and acquire firms that can accelerate our mission of ensuring that artificial general intelligence benefits all of humanity.

Why deployment matters

OpenAI was founded as a research and deployment company. From the beginning, we have believed that building powerful AI models is only part of the work. Real impact comes from helping people and organizations use those systems safely, effectively, and at scale.

Over the past several years, more than one million businesses have adopted OpenAI’s products and APIs. Across those deployments, one pattern has become increasingly clear: the next stage of enterprise AI will be defined by how effectively businesses can deploy this technology into real-world use cases, and how well we and our Alliance partner ecosystem can help them.

As models become more capable, businesses can apply AI to larger, more important parts of how they operate. The work now is helping organizations rethink critical workflows around intelligence that can reason, act, and deliver measurable results.

Building for where frontier AI is headed

We launched the OpenAI Deployment Company as a standalone business unit so it can develop the operating model, pace, and customer focus this work requires. At the same time, the OpenAI Deployment Company will operate as an extension of OpenAI, keeping customers closely connected to the research, product, and in-house deployment teams shaping frontier AI.

That connection is a major advantage. The OpenAI Deployment Company FDEs will be able to build for where OpenAI’s frontier capabilities are headed, giving customers systems designed to improve as new models, tools, and deployment patterns come online. Customers can move faster from day one, spend capital on durable systems, and stay ahead of competitors by building around the capabilities that are coming next.

FDEs will work alongside business leaders, technology leaders, operators, and frontline teams to rethink critical operations, processes, and workflows from the ground up. Their role is to help organizations move from identifying high-value AI opportunities to building production systems that deliver measurable results.

A typical OpenAI Deployment Company engagement will begin with a focused diagnostic of where AI can create the most value, followed by a small number of priority workflows selected with the customer’s leadership and operating teams. The OpenAI Deployment Company FDEs will then work inside the organization to design, build, test, and deploy production systems, connecting OpenAI models to the customer’s data, tools, controls, and business processes so teams can use them reliably in day-to-day work.

Accelerating deployment from day one

The Tomoro team will bring deep experience building and operating real-time AI systems in complex enterprise environments. Its work spans mission-critical workflows for companies such as Tesco, Virgin Atlantic and Supercell, where reliability, integration, governance, and measurable business impact matter from the start.

As part of the OpenAI Deployment Company after closing, the team will strengthen OpenAI’s ability to help customers move from use case selection to production deployment faster. Its engineers will help connect OpenAI models to customers’ data, tools, controls, and core business processes, accelerating DeployCo’s ability to deploy AI systems that work in day-to-day operations.

The acquisition is subject to customary closing conditions, including applicable regulatory approvals, and is expected to close in the coming months.

Scaling deployment across the economy

The OpenAI Deployment Company’s investment and consulting partners sponsor more than 2,000 businesses around the world, and its consulting and integrator partners work with many thousands more. These organizations span industries, company sizes, and workflows, giving the OpenAI Deployment Company a broad view of where AI can create value and which deployment patterns can scale.

The private equity sponsors also bring deep, repeatable experience helping companies execute operating transformation and change management across their portfolios. That capability is highly complementary to OpenAI and the OpenAI Deployment Company’s technical, product, and frontier AI deployment expertise. Together, the partnership can help customers identify and build the right AI systems, redesign workflows around them, drive adoption across teams, and turn AI deployment into durable operating change.

The OpenAI Deployment Company benefits from this combination: OpenAI’s visibility into where frontier AI capabilities are headed, and its partners’ practical experience helping companies execute complex transformations at scale. That will help OpenAI and the OpenAI Deployment Company learn faster, generalize the most effective solution patterns, and bring those lessons to more organizations across the economy.

“AI is becoming capable of doing increasingly meaningful work inside organizations. The challenge now is helping companies integrate these systems into the infrastructure and workflows that power their businesses. DeployCo is designed to help organizations bridge that gap and turn AI capability into real operational impact.”

— Denise Dresser, Chief Revenue Officer at OpenAI

Original source

How trusted access works

For years we’ve been chronicling our work to accelerate cybersecurity defenders, as part of our broader work to build the core infrastructure for AI. Last week, we released our action plan Cybersecurity in the Intelligence Age, which lays out our vision for democratizing AI-powered defense. Two weeks ago, we released GPT‑5.5, our smartest and most intuitive model to date, which is already delivering powerful cybersecurity capabilities to developers and security teams through Trusted Access for Cyber (TAC).

Today, we are rolling out GPT‑5.5‑Cyber in limited preview to defenders responsible for securing critical infrastructure to support specialized cybersecurity workflows that help protect the broader ecosystem.

We are focused on providing proportional safeguards and access to empower cyber defenders to protect society, and our approach has been informed by conversations with cybersecurity and national security leaders across federal and state government and major commercial entities.

The cyber defense ecosystem is broad, and GPT‑5.5 and GPT‑5.5‑Cyber play different roles in meeting the needs of organizations and researchers across it, depending on the task, the setting, and the safeguards around how the model is used. For most teams, GPT‑5.5 with TAC is our strongest broadly useful model for legitimate defensive work, with strong safeguards against misuse.

In this post, we are sharing more details on how Trusted Access for Cyber works, how GPT‑5.5 and GPT‑5.5‑Cyber meet the varied needs of defenders across the ecosystem, and how different levels of access affect model outputs.

How trusted access works

Trusted Access for Cyber is an identity and trust-based framework designed to help ensure enhanced cyber capabilities are being placed in the right hands. It is designed to make the cyber capabilities of GPT‑5.5 more useful for verified defenders working on defensive tasks, while continuing to restrict requests that could enable real-world harm.

When defenders are vetted and approved for Trusted Access for Cyber, they receive lower classifier-based refusals to enable authorized cybersecurity workflows, including vulnerability identification and triage, malware analysis, binary reverse engineering, detection engineering, and patch validation. Safeguards continue to block malicious activity such as credential theft, stealth, persistence, malware deployment, or exploitation of third-party systems.

As we announced last week, with increased access, defenders are required to have phishing-resistant account security protections. Individual members of Trusted Access for Cyber accessing our most cyber capable and permissive models will be required to enable Advanced Account Security beginning June 1, 2026. Organizations with trusted access can, as an alternative, attest that they have phishing resistant authentication as part of their single sign-on workflow.

Here is a breakdown for how to think about the current trusted access levels:

Access What changes Intended use cases GPT-5.5 (default) Standard safeguards for general-purpose use General-purpose, developer, and knowledge work GPT-5.5 with Trusted Access for Cyber More precise safeguards for verified defensive work in authorized environments Most defensive security workflows, including secure code review, vulnerability triage, malware analysis, detection engineering, and patch validation GPT-5.5-Cyber Most permissive behavior for specialized authorized workflows, paired with stronger verification and account-level controls Preview access for specialized workflows, including authorized red teaming, penetration testing, and controlled validation

The differences between model access levels are most pronounced when comparing prompts and responses. The first example illustrates how GPT‑5.5 compares to GPT‑5.5 with Trusted Access for Cyber on a defensive task: create a proof-of-concept from a published vulnerability to validate remediation within an authorized environment.

For most defenders, GPT‑5.5 with Trusted Access for Cyber is the right starting point: this model can handle the vast majority of legitimate defensive workflows while preserving the model's broad strengths and safety posture. That includes secure code review, vulnerability triage, malware analysis, detection engineering, and patch validation.

More specialized access becomes relevant only when authorized workflows still run into refusals. This occurs with higher risk workflows such as red teaming and penetration testing, where defenders may need to go beyond analysis, and validate exploitability in a controlled environment. GPT‑5.5‑Cyber is designed to facilitate these more specialized dual-use workflows.

Here’s a simple example that shows what that looks like in practice:

How GPT‑5.5 and GPT‑5.5‑Cyber perform on cyber tasks

GPT‑5.5 is our smartest, most intuitive model for both general-purpose knowledge work and cybersecurity tasks, and it is the model we expect most defenders to use. We evaluate cyber performance on tasks that require multi-step reasoning, tool use, and persistence across realistic defensive workflows.

The initial preview of cyber-permissive models like GPT‑5.5‑Cyber is not intended to significantly increase cyber capability beyond GPT‑5.5 - it’s primarily trained to be more permissive on security-related tasks.

As a result, this first preview is not expected to outperform GPT‑5.5 across every cyber evaluation. Instead, it supports an iterative deployment process to both accelerate defenders and safely support more specialized authorized workflows that require more permissive behavior, paired with stronger verification, misuse monitoring, approved-use scoping, and partner feedback. For now, GPT‑5.5 with Trusted Access for Cyber remains the recommended starting point for most security workflows.

Scaling defensive capability across the security ecosystem

We are partnering with security vendors because they sit where model capability can become customer protection: discovery, development, detection, response, and network enforcement. When those layers improve together, they create a security flywheel: researchers disclose vulnerabilities with exploit proof-of-concepts and patch guidance, software supply chain tools prevent vulnerable code and compromised dependencies from reaching production, EDR and SIEM partners detect exploitation in the wild, and network and security providers deploy WAF-level mitigations while fixes roll out.

GPT‑5.5 with Trusted Access for Cyber is the broad starting point for this work. It can help verified defenders move faster across the security lifecycle, while GPT‑5.5‑Cyber lets a smaller set of partners study advanced workflows where specialized access behavior may matter. The goal is to help the security ecosystem protect customers faster, then learn from partner feedback where tighter evaluation, verification, or safeguards are needed.

Network and security providers can reduce exposure while fixes are still rolling out. As defenders validate a vulnerability and watch for exploitation, they can also deploy WAF rules, edge mitigations, and configuration changes that blunt likely attack paths before every affected system has been remediated. GPT‑5.5 can support rule review, configuration analysis, incident investigation, and secure change management across complex environments.

We’re working with these partners to help us evaluate how those capabilities translate into protections customers can deploy at internet scale, including for critical infrastructure and public services where reducing exposure quickly matters.

Vulnerability research and patching

The flywheel starts with finding vulnerabilities, validating their criticality, and patching affected systems. GPT‑5.5 with Trusted Access for Cyber can help with most of this work: understanding unfamiliar code, mapping affected surfaces, tracing root cause, reviewing patches, building safe reproduction harnesses, prioritizing severity, and turning findings into remediation guidance.

Some vulnerability research requires more permissive behavior, especially when authorized partners need exploit proof-of-concepts for coordinated disclosure or controlled validation. Those are the workflows where GPT‑5.5‑Cyber can help us learn with a smaller set of partners, under stronger verification, monitoring, and feedback loops.

Detection and monitoring

If vulnerable software is already deployed, the next question is whether anyone is exploiting it. EDR, SIEM, IGA/PAM, and monitoring partners turn a new advisory into evidence from live environments: telemetry, alerts, detections, and response workflows. GPT‑5.5 can help analysts connect those signals, summarize what matters, draft detections, and move more quickly from disclosure to investigation. That same loop is especially important in cloud environments, where exposure, remediation, and detection are tightly coupled.

Software supply chain security

The next turn is preventing known-bad code from reaching production in the first place. Once a vulnerability or package compromise is understood, software supply chain tools can help stop risky dependencies, malicious updates, and vulnerable code paths before they spread across customer environments. GPT‑5.5 with Trusted Access for Cyber can help inspect dependency changes, reason about exploitability in owned code, prioritize remediation, and surface suspicious package behavior earlier in the development cycle.

Partners such as Snyk, Gen Digital, Semgrep, and Socket can help us test how these capabilities apply to incidents like the axios compromise, where the fastest fix is preventing vulnerable or compromised dependencies from entering the build at all.

Codex Security for open source and defenders

Open source is one of the fastest ways a vulnerability can spread across the ecosystem, so we are also investing upstream with maintainers. Codex Security helps teams identify, validate, and remediate vulnerabilities by building a codebase-specific threat model, exploring realistic attack paths, validating issues in isolated environments, and proposing patches for human review.

Through Codex for Open Source, selected maintainers of critical projects can receive conditional access to Codex Security alongside Codex and API credits to reduce maintenance and review load.

We’ve also released a Codex Security plugin⁠ that brings the existing security workflow directly into any Codex interface like the app or CLI, helping developers move from threat modeling to finding discovery, validation, attack-path analysis, and verified fixes.

Looking ahead

As models become more capable in cybersecurity, the best use of that capability is to help defenders find and fix weaknesses faster. Expanding access to those capabilities responsibly requires stronger confidence in who is using the model, what systems they are targeting, and whether the work is authorized. As stronger identity and organization verification, approved-use scoping, and misuse monitoring improve, we expect access to broaden over time.

Gaining access to Trusted Access for Cyber is straightforward:

• Individual users can verify their identity at chatgpt.com/cyber⁠⁠ (opens in a new window).
• Enterprises can request trusted access⁠ for their team through their OpenAI representative.

All customers approved through this process will gain access to versions of existing models with reduced friction around safeguards which might trigger on dual-use cyber activity, allowing them to continue to support security education, defensive programming, and responsible vulnerability research.

During alpha testing, GPT‑5.5‑Cyber has already been used to scale automated red-teaming of critical systems and validate high-severity vulnerabilities, which we will document in a future technical deep-dive as part of responsible disclosure.

We expect to continue to accelerate defenders with various models, including both our flagship models through Trusted Access for Cyber, and with dedicated cyber models like GPT‑5.5‑Cyber and even more cyber-capable models in the future.

Original source

A new generation of realtime voice models that can reason, translate, and transcribe as people speak.

We’re introducing three audio models in the API that unlock a new class of voice apps for developers. With these models, developers can build voice experiences that feel more natural, respond more intelligently, and take action in real time:

• GPT‑Realtime‑2, our first voice model with GPT‑5‑class reasoning that can handle harder requests and carry the conversation forward naturally.
• GPT‑Realtime‑Translate, a new live translation model that translates speech from 70+ input languages into 13 output languages while keeping pace with the speaker.
• GPT‑Realtime‑Whisper, a new streaming speech-to-text that transcribes speech live as the speaker talks.

Voice is becoming one of the most natural ways for people to use software. It lets someone ask for help while driving, change a travel plan while walking through an airport, get support in their preferred language, or move through a task without stopping to type.

But building useful voice products takes more than fast turn-taking or a natural-sounding voice. A voice agent needs to understand what someone means, keep track of context, recover when a request changes, use tools while the conversation continues, and respond in a way that feels appropriate to the moment.

Together, the models we are launching move realtime audio from simple call-and-response toward voice interfaces that can actually do work: listen, reason, translate, transcribe, and take action as a conversation unfolds.

As voice becomes a more natural way to use software, we’re seeing developers build around three emerging patterns in voice AI:

• Voice-to-action, where people can describe what they need and the system can reason through the request, use tools, and complete the task. For example, Zillow is building an assistant that can listen, reason, and act on requests like: “find me homes within my BuyAbility, avoid busy streets, and schedule a tour for Saturday.”
• Systems-to-voice, where software can turn context into live spoken guidance. For example, a travel app could proactively tell a traveler: “Your inbound flight is delayed, but you can still make your connection. I found the new gate, mapped the fastest route through the terminal, and your bag is still expected to transfer.”
• Voice-to-voice, where AI can help live conversations continue across languages, tasks, or changing context. For example, Deutsche Telekom is building voice support experiences where customers can speak in the language they’re most comfortable using, while the model translates the conversation in real time.

These patterns can also work together. Priceline is working toward a future where travelers can manage entire trips by voice: searching for flights and hotels conversationally, handling changes like adjusting a hotel reservation after a flight delay or getting real-time updates on TSA wait times, and translating conversations once travelers are on the ground.

GPT‑Realtime‑2 is built for live voice interactions where the model keeps the conversation moving while it reasons through a request, calls tools, handles corrections or interruptions, and responds in a way that fits the moment.

Key features of GPT-Realtime-2 include:

• Preambles: Developers can enable short phrases before a main response, like “let me check that” or “one moment while I look into it,” so users know the agent is working on the request.
• Parallel tool calls and tool transparency: The model can call multiple tools at once and make those actions audible with phrases like “checking your calendar” or “looking that up now,” helping agents stay responsive while completing tasks.
• Stronger recovery behavior: The model can recover more gracefully by saying things like “I’m having trouble with that right now,” instead of failing silently or breaking the conversation.
• Longer context for agentic workflows: Increasing the context window from 32K to 128K to support longer, more coherent sessions and more complex task flows.
• Stronger domain understanding: Better retention of specialized terminology, proper nouns, healthcare terms, and other vocabulary important in production settings.
• More controllable tone and delivery: The model can better adjust its tone—speaking calmly while resolving an issue, empathetically when a user is frustrated, or upbeat when confirming a successful action.
• Adjustable reasoning effort: Developers can select from minimal, low, medium, high, and xhigh reasoning levels, with low as the default, balancing lower latency for straightforward interactions with more deliberate reasoning for complex requests.

Performance improvements include a 15.2% higher score on Big Bench Audio for audio intelligence and a 13.8% higher score on Audio MultiChallenge for instruction following compared to GPT‑Realtime‑1.5.

Use cases include strategic reasoning, tone and expressiveness, spatial reasoning, alphanumerics, and logic puzzles.

Early business use cases:

• Zillow: GPT-Realtime-2 improved call success rate by 26 points on their hardest adversarial benchmark and showed stronger Fair Housing compliance.

GPT‑Realtime‑Translate helps developers build live multilingual voice experiences where each person can speak in their preferred language and hear the conversation translated in real time and read the real time transcriptions. It supports more than 70 input languages and 13 output languages, useful for customer support, cross-border sales, education, events, media, and creator platforms serving global audiences.

It preserves meaning while keeping pace with the speaker, even with natural speech, context switches, regional pronunciation, and domain-specific language. Deutsche Telekom is testing it for multilingual voice interactions.

GPT‑Realtime‑Whisper is a new streaming transcription model built for low-latency speech-to-text. It transcribes audio as people speak, enabling faster, more responsive, and natural live products such as captions, meeting notes, voice agents, and faster follow-up workflows in customer support, healthcare, sales, recruiting, and other high-volume spoken interactions.

Safety:

The Realtime API includes multiple layers of safeguards and mitigations to prevent misuse, including active classifiers that can halt conversations violating harmful content guidelines. Developers can add additional safety guardrails using the Agents SDK. Usage policies prohibit repurposing or distributing outputs for spam, deception, or harmful purposes. Developers must disclose AI interaction to end users unless obvious.

The Realtime API supports EU Data Residency for EU-based applications and is covered by enterprise privacy commitments.

Pricing & availability:

GPT‑Realtime‑2, GPT‑Realtime‑Translate, and GPT‑Realtime‑Whisper are available in the Realtime API.

• GPT‑Realtime‑2: $32 per 1M audio input tokens ($0.40 for cached input tokens) and $64 per 1M audio output tokens.
• GPT‑Realtime‑Translate: $0.034 per minute.
• GPT‑Realtime‑Whisper: $0.017 per minute.

Get started:

You can test the new realtime voice models in the Playground. To start building, open the provided prompt in Codex to add GPT‑Realtime‑2 to an existing app or start a new one. If you don’t have Codex yet, download the Codex app first.

Original source

We’re expanding ChatGPT ads with new ways for advertisers to buy and manage campaigns—built around our ads principles.

We’re taking the next step in our ChatGPT ads pilot by making it easier for businesses to participate while keeping the experience useful, private, and clearly separate from ChatGPT’s answers. Advertisers can now create ChatGPT ads through partners or a new beta self-serve Ads Manager. We’re also introducing cost-per-click (CPC) bidding and expanded measurement tools, giving businesses more flexible ways to buy, manage, and understand campaign performance without sharing conversations or personal details with advertisers. These updates make it easier for more businesses to participate and lay the groundwork for a broader ads platform built around how people use ChatGPT.

Expanding how businesses can buy ChatGPT ads

We initially worked directly with a small group of advertisers to launch campaigns in ChatGPT. As we’ve expanded the pilot, we’ve broadened access through partners and are now introducing beta self-serve tools for advertisers.

We have been collaborating with leading agency partners including Dentsu, Omnicom, Publicis, and WPP to support businesses purchasing ChatGPT ads. We’ve also added technology partners such as Adobe, Criteo, Kargo, Pacvue, and StackAdapt, and will continue to invest in and expand our partner ecosystem.

Through these partners, advertisers can access ChatGPT ads through tools and processes they already use to grow their businesses. These partners help support campaign budgeting, bidding and advertising creative, while OpenAI’s ads system controls all delivery decisions.

Today, we’re beginning to roll out a beta self-serve Ads Manager that allows advertisers in the US to sign up and purchase ads directly to appear in ChatGPT.

Ads Manager makes it easier for companies of all sizes, from SMBs and startups to global brands, to grow their businesses via ChatGPT. Businesses can register as advertisers, add payment information, set budgets, bids and pacing, upload ads, launch and manage campaigns, and view performance in the portal.

We’re gradually opening Ads Manager to more businesses as we continue to test and refine the experience. Businesses interested in learning more can sign up for an account here⁠ (opens in a new window).

Launching CPC bidding

In the first phase of the pilot, advertisers could buy ChatGPT ads on a CPM (cost-per-mille impressions) basis, as a preliminary means to understand demand, delivery, and early performance in a new environment. Now, we’re adding cost-per-click (CPC) bidding so advertisers can align their spend more directly with the actions people take after seeing an ad.

That matters because many ChatGPT conversations are active and decision-oriented. People are often learning about a category, comparing options, or deciding what to do next. In those moments, a click can be a meaningful signal that an ad was relevant and helped someone move forward. Advertisers are only charged based on a click outcome.

We’ll continue to support CPM and CPC buying, and over time expect to support more ways for advertisers to bid and optimize for the outcomes they care about most.

Developing more ways to measure results

One of the most requested capabilities during the ads pilot has been more robust measurement to help advertisers understand performance and what drives results.

We recently launched Conversions API and pixel-based measurement so advertisers can better understand what happens after someone engages with an ad, such as a purchase, lead, sign-up, or other meaningful action.

These tools are designed to improve measurement while protecting user privacy. Advertisers receive aggregated performance insights that help them understand campaign impact, without access to individual conversations.

Better measurement helps advertisers understand performance, and also helps improve the experience for people using ChatGPT. Stronger signals help us show more relevant ads, increase quality of ads matching, and build optimization systems that are accountable to real outcomes rather than impressions alone.

Building the ChatGPT ad platform

We’re still early in building advertising in ChatGPT, and our focus remains on supporting broader access to powerful AI and staying consistent with our principles⁠ that ChatGPT’s answers stay independent, conversations stay private, and users remain in control of their experience.

As people turn to ChatGPT to explore what they may need, evaluate options, and make decisions, we see an exciting opportunity to help them discover relevant products and services through ads. Over time, we plan to continue to evolve our ad platform with new formats, objectives, and capabilities to help businesses reach customers in useful and relevant ways and provide opportunities for businesses of all sizes to grow and thrive.

Original source

We’re updating ChatGPT’s default model, available to everyone, to be smarter and more accurate, with clearer, more concise answers that feel better tailored to you.

Because Instant is the daily driver for hundreds of millions of people, small improvements make a big difference. This update makes everyday interactions more useful and more enjoyable: stronger and tighter answers across subject areas, a more natural conversational tone, and better use of the context you’ve already shared when personalization can help.

Smarter, more accurate answers with less to sort through

Instant is now more dependable, with significant improvements in factuality across the board and the largest gains in domains where accuracy matters most. In internal evaluations, GPT‑5.5 Instant produced 52.5% fewer hallucinated claims than GPT‑5.3 Instant on high-stakes prompts covering areas like medicine, law, and finance. It also reduced inaccurate claims by 37.3% on especially challenging conversations users had flagged for factual errors.

GPT‑5.5 Instant is a generally smarter model that’s more capable across everyday tasks, including improvements in analyzing photo and image uploads, answering STEM-related questions, and deciding when to use web search to provide a more useful answer.

GPT‑5.5 Instant is the stronger answer because it recovers from its initial mistake: it first endorses the incorrect solution, but then catches that x =3 fails when plugged back into the original equation. It identifies the actual algebra error (the user moved terms incorrectly) and then uses the quadratic formula to get the correct solution. GPT‑5.3 Instant also catches that x =3 fails, but stops too early and incorrectly concludes there is no real solution instead of revisiting the algebra and solving the corrected quadratic.

These improvements are reflected in gains on evaluations across visual reasoning, math, and science:

With this update, the model’s responses are tighter and more to-the-point without losing substance, while keeping the warmth and personality that makes ChatGPT enjoyable to use. It can deliver the same information, often with more utility than previous models, while reducing the verbosity and overformatting that can make responses too long. It also asks fewer unnecessary follow-up questions and avoids things that can make responses feel cluttered, like gratuitous emojis.

More personalized responses and controls

Instant is now more effective at using context from past chats, files, and Gmail, if you have it connected, so answers feel more personally relevant while keeping you in control. It intelligently decides when a response can be improved with additional personalization and is faster at searching past conversations to find the right context, so you don’t have to repeat yourself as often. This is especially helpful for getting tailored suggestions and plans, or picking up where you left off for ongoing work.

We’re also introducing memory sources across all ChatGPT models, which give you visibility over what context was used to personalize responses with new controls. When a response is personalized, you can see what context was used, such as saved memories or past chats, and delete or correct it if something is outdated or no longer relevant.

Memory sources aren't shown to others if you choose to share a chat. You remain in control of what's in your memory: you can delete chats you no longer want to be cited, delete or change items in saved memories in settings, or use temporary chats that don't use or update your memory.

Memory sources are designed to make personalization easier to understand, but they may not show every factor that shaped an answer. For example, it may show you some of the most relevant past chats in sources instead of all the past chats it searched and referenced. We’ll continue improving this view to make it more comprehensive over time.

Availability

GPT‑5.5 Instant is rolling out starting today to all ChatGPT users, replacing GPT‑5.3 Instant as the default model, and in the API as chat-latest. For paid users, GPT‑5.3 Instant will remain available for three months, accessible through model configuration settings, before being retired.

Enhanced personalization from past chats, files, and connected Gmail is rolling out to Plus and Pro users on the web and coming soon to mobile with plans to expand to Free, Go, Business, and Enterprise in the coming weeks. Memory sources are rolling out across all ChatGPT consumer plans on the web and soon on mobile. Availability of specific personalization sources may vary by region.

Original source

Today, we’re introducing Advanced Account Security, a new opt-in setting for ChatGPT accounts, designed for people at increased risk of digital attacks, as well as for those who want the strongest account protections available. It brings together a set of heightened security measures that help safeguard against account takeover while making those protections easier to activate in one place. Once enrolled, Advanced Account Security protects users in Codex as well.

People are turning to AI for deeply personal questions and increasingly high-stakes work. Over time, a ChatGPT account can hold sensitive personal and professional context, and sit at the center of connected tools and workflows. For some people, like journalists, elected officials, political dissidents, researchers, and those who are especially security-conscious, the stakes are even higher.

This effort is part of our broader cybersecurity action plan⁠ (opens in a new window) to broaden access to the technologies that can help protect communities, critical systems, and our national security. We want users to have the controls to make the security and privacy choices that are right for them. At the same time, we want to ensure users understand that the increased protection of Advanced Account Security comes with an increased responsibility for account recovery.

How Advanced Account Security works

Advanced Account Security brings together a series of controls that strengthen sign-in protections, tighten account recovery, reduce exposure from compromised sessions, and give users more visibility into account activity. It’s available to opt into in the Security section of users’ ChatGPT accounts on web. Protection applies to both ChatGPT and Codex accounts that are accessed through that login.

Stronger sign-in methods. Advanced Account Security requires passkeys or physical security keys while disabling password-based login, helping make phishing-resistant sign-in the default for people who need it most.

More secure account recovery. If a user’s email account or phone number is compromised, an attacker may try to use one of them to gain access to their ChatGPT account via e-mail or SMS based recovery. To reduce this risk, Advanced Account Security disables email and SMS recovery and requires stronger recovery methods: backup passkeys, security keys, and recovery keys. Because account recovery is restricted to these more secure methods, OpenAI Support will not be able to assist with account recovery for users enrolled in Advanced Account Security.

Shorter sessions and clearer session management. Sign-in sessions are shortened to reduce the window of exposure if a device or active session is compromised. Users also receive alerts when there is a login to their account, and they can review and manage the active sessions across the various devices they’re signed into.

Automatic training exclusion. People working with especially sensitive information may opt not to have those conversations used for model training. With Advanced Account Security enabled, that preference is automatic: conversations from those accounts will not be used to train our models.

Making phishing-resistant authentication more accessible with Yubico

Using physical security keys, such as YubiKeys, is one of the strongest defenses against phishing. To make that level of protection easier to access, we have partnered with Yubico, a leader in hardware-based authentication and account protection, to offer our users preferred pricing on a customized bundle of best in class security keys. The YubiKey C Nano is designed to stay in your laptop for simple, low-friction daily authentication, and the YubiKey C NFC for backup, and use across laptops and mobile devices.

We’re launching this partnership as part of Advanced Account Security, but the bundle will be available to all eligible users in their security settings on web so more people can adopt stronger, phishing-resistant account protection. Users will also be able to use any other FIDO-compliant security key, or use software-based passkeys.

Protecting Trusted Access for Cyber

We continue to expand programs that give verified defenders access to more capable and permissive models, and we need to ensure that the accounts of those defenders are protected with our most advanced security protections.

Individual members of Trusted Access for Cyber accessing our most cyber capable and permissive models will be required to enable Advanced Account Security beginning June 1, 2026. Organizations with trusted access can, as an alternative, attest that they have phishing resistant authentication as part of their single sign-on workflow.

An important step, with more to come

OpenAI is becoming the core infrastructure for AI, making it possible for people around the world and businesses, big and small, to just build things. The broad consumer reach of ChatGPT creates a powerful distribution channel into the workplace, where demand is rapidly shifting from basic model access to intelligent systems that reshape how businesses operate. Developers build on and expand the platform by leveraging our APIs, and Codex is transforming how developers turn ideas into working software.

As AI becomes increasingly embedded in our lives, it is more important than ever to ensure that users have the controls they need to help protect their privacy and security.

Privacy and security are foundational to how we build all of our products and we’ll continue investing in protections that give people more control and stronger safeguards over time. We expect to extend this work to additional audiences, including enterprise environments, where stronger account security can matter just as much.

OpenAI users who want additional protection can enroll in Advanced Account Security ⁠ (opens in a new window) on web starting today.

Original source

Today, OpenAI and AWS are expanding our strategic partnership to help enterprises build using OpenAI capabilities in their AWS environments. We’re excited to give AWS customers access to the best frontier models, agents, and tools, which will operate within the systems, security protocols, compliance requirements, and workflows they already use.

The expanded partnership with Amazon brings together three key areas of work, all launching today in limited preview:

• OpenAI models on AWS
• Codex on AWS
• Amazon Bedrock Managed Agents, powered by OpenAI

Together, these capabilities give organizations more ways to use OpenAI across application development, software engineering, and agentic workflows—while building within the infrastructure, security, governance, and procurement workflows they already use on AWS.

Making OpenAI models and APIs accessible to customers on AWS

For many companies, using AI at scale requires bringing the best models to the systems their teams already use. That’s why we’re launching OpenAI models, including our best frontier model GPT‑5.5, on Amazon Bedrock.

Customers can now build with OpenAI models in AWS, alongside the services, security controls, identity systems, and procurement processes they already rely on.

For developers, that means more flexibility in how they build with OpenAI, from new AI applications to intelligence embedded in existing products to agentic workflows that can reason, take action, and support more complex business processes.

For enterprises, it means a clear single path from experimentation to production, with OpenAI capabilities available in the AWS environments where their most important workloads already run.

Bringing Codex to AWS

More than 4 million people now use Codex every week, and teams are using it across the software development lifecycle—to write code, explain systems, refactor applications, generate tests, modernize legacy codebases, and accelerate a broader set of professional workflows that extend beyond coding. Increasingly, they are also using Codex to accelerate research, analysis, and document-based work by connecting with the apps and tools they use every day, from summarizing source materials to creating briefs, slide decks, and spreadsheets.

Codex is OpenAI’s frontier coding harness and product suite, and organizations can now power Codex with OpenAI models served directly from Amazon Bedrock. This allows any company with an AWS commit and Bedrock access to frictionlessly start using OpenAI’s powerful coding agent and products.

Customers get started by configuring Codex to use Bedrock as the provider. This gives customers the enterprise-grade attributes they expect from AWS—including security, billing, and high availability. All customer data is processed by Amazon Bedrock, and eligible customers can apply Codex usage towards their AWS cloud commitments.

Codex on Bedrock is available in limited preview. Customers can configure Codex to use Amazon Bedrock through the Bedrock API, starting with Codex CLI, the Codex desktop app, and Visual Studio Code extension.

Launching Amazon Bedrock Managed Agents, powered by OpenAI

We are also launching Amazon Bedrock Managed Agents (opens in a new window), powered by OpenAI, giving enterprises a new way to deploy advanced agents within their trusted AWS environments.

With Bedrock Managed Agents, organizations can build agents that maintain context, execute multi-step workflows, use tools, and take action across complex business processes. This helps customers move from experimentation to production faster, while keeping agent development aligned with the infrastructure, security, and operational standards they expect from AWS.

For enterprises, Bedrock Managed Agents lets teams focus on making agents useful for real work, not assembling the infrastructure around them. It handles the harder parts of deployment, tool use, orchestration, and governance, with built-in integration across Amazon’s security and compliance controls. The result is a faster path from prototype to production for agents that can operate in real enterprise environments.

Expanding how enterprises can build with AI

Our strategic partnership with Amazon is focused on helping organizations deploy advanced AI at production scale. With OpenAI models, Codex, and Managed Agents now coming to Amazon Bedrock, customers have a faster, more secure path to putting AI to work across their business. We’re excited to see what your organizations build.

Get in touch here.

Original source

We’re releasing GPT‑5.5, our smartest and most intuitive to use model yet, and the next step toward a new way of getting work done on a computer.

GPT‑5.5 understands what you’re trying to do faster and can carry more of the work itself. It excels at writing and debugging code, researching online, analyzing data, creating documents and spreadsheets, operating software, and moving across tools until a task is finished. Instead of carefully managing every step, you can give GPT‑5.5 a messy, multi-part task and trust it to plan, use tools, check its work, navigate through ambiguity, and keep going.

The gains are especially strong in agentic coding, computer use, knowledge work, and early scientific research—areas where progress depends on reasoning across context and taking action over time. GPT‑5.5 delivers this step up in intelligence without compromising on speed: larger, more capable models are often slower to serve, but GPT‑5.5 matches GPT‑5.4 per-token latency in real-world serving, while performing at a much higher level of intelligence. It also uses significantly fewer tokens to complete the same Codex tasks, making it more efficient as well as more capable.

We are releasing GPT‑5.5 with our strongest set of safeguards to date, designed to reduce misuse while preserving access for beneficial work. We evaluated this model across our full suite of safety and preparedness frameworks, worked with internal and external redteamers, added targeted testing for advanced cybersecurity and biology capabilities, and collected feedback on real use cases from nearly 200 trusted early-access partners before release.

Today, GPT‑5.5 is rolling out to Plus, Pro, Business, and Enterprise users in ChatGPT and Codex, and GPT‑5.5 Pro is rolling out to Pro, Business, and Enterprise users in ChatGPT. API deployments require different safeguards and we are working closely with partners and customers on the safety and security requirements for serving it at scale. We'll bring GPT‑5.5 and GPT‑5.5 Pro to the API very soon.

OpenAI is building the global infrastructure for agentic AI, making it possible for people and businesses around the world to get work done with AI. Over the past year, we’ve seen AI dramatically accelerate software engineering. With GPT‑5.5 in Codex and ChatGPT, that same transformation is beginning to extend into scientific research and the broader work people do on computers.

Across these domains, GPT‑5.5 is not just more intelligent; it is more efficient in how it works through problems, often reaching higher-quality outputs with fewer tokens and fewer retries. On Artificial Analysis's Coding Index, GPT‑5.5 delivers state-of-the-art intelligence at half the cost of competitive frontier coding models.

GPT‑5.5 is our strongest agentic coding model to date. On Terminal-Bench 2.0, which tests complex command-line workflows requiring planning, iteration, and tool coordination, it achieves a state-of-the-art accuracy of 82.7%. On SWE-Bench Pro, which evaluates real-world GitHub issue resolution, it reaches 58.6%, solving more tasks end-to-end in a single pass than previous models. On Expert-SWE, our internal frontier eval for long-horizon coding tasks with a median estimated human completion time of 20 hours, GPT‑5.5 also outperforms GPT‑5.4.

Across all three evals, GPT‑5.5 improves on GPT‑5.4’s scores while using fewer tokens.

The model’s coding strengths show up especially clearly in Codex where it can take on engineering work ranging from implementation and refactors to debugging, testing, and validation. Early testing suggests GPT‑5.5 is better at the behaviors real engineering work depends on, like holding context across large systems, reasoning through ambiguous failures, checking assumptions with tools, and carrying changes through the surrounding codebase.

Beyond benchmarks, early testers said GPT‑5.5 shows a stronger ability to understand the shape of a system: why something is failing, where the fix needs to land, and what else in the codebase would be affected.

“The first coding model I’ve used that has serious conceptual clarity.”

Dan Shipper, Founder and CEO of Every, described GPT‑5.5 as “the first coding model I’ve used that has serious conceptual clarity.” After launching an app, he spent days debugging a post-launch issue before bringing in one of his best engineers to rewrite part of the system. To test GPT‑5.5, he effectively rewound the clock: could the model look at the broken state and produce the same kind of rewrite the engineer eventually decided on? GPT‑5.4 could not. GPT‑5.5 could.

“It genuinely feels like I’m working with a higher intelligence, and there’s almost a sense of respect.”

Pietro Schirano, CEO of MagicPath, saw a similar step change when GPT‑5.5 merged a branch with hundreds of frontend and refactor changes into a main branch that had also changed substantially, resolving the work in one shot in about 20 minutes.

Senior engineers who tested the model said GPT‑5.5 was noticeably stronger than GPT‑5.4 and Claude Opus 4.7 at reasoning and autonomy, catching issues in advance and predicting testing and review needs without explicit prompting. In one case, an engineer asked it to re-architect a comment system in a collaborative markdown editor and returned to a 12-diff stack that was nearly complete. Others said they needed surprisingly little implementation correction and felt more confident in GPT‑5.5’s plans compared with GPT‑5.4.

One engineer at NVIDIA who had early access to the model went as far as to say: "Losing access to GPT‑5.5 feels like I've had a limb amputated.”

“GPT-5.5 is noticeably smarter and more persistent than GPT-5.4, with stronger coding performance and more reliable tool use. It stays on task for significantly longer without stopping early, which matters most for the complex, long-running work our users delegate to Cursor.”

— Michael Truell, Co-founder & CEO at Cursor

The same strengths that make GPT‑5.5 great at coding also make it powerful for everyday work on a computer. Because the model is better at understanding intent, it can move more naturally through the full loop of knowledge work: finding information, understanding what matters, using tools, checking the output, and turning raw material into something useful.

In Codex, GPT‑5.5 is better than GPT‑5.4 at generating documents, spreadsheets, and slide presentations. Alpha testers said it outperformed past models on work like operational research, spreadsheet modeling, and turning messy business inputs into plans. When combined with Codex’s computer use skills, GPT‑5.5 brings us closer to the feeling that the model can actually use the computer with you: seeing what’s on screen, clicking, typing, navigating interfaces, and moving across tools with precision.

Teams at OpenAI are already using these strengths in real workflows. Today, more than 85% of the company uses Codex every week across functions including software engineering, finance, communications, marketing, data science, and product management. In Comms, the team used GPT‑5.5 in Codex to analyze six months of speaking request data, build a scoring and risk framework, and validate an automated Slack agent so low-risk requests could be handled automatically while higher-risk requests still route to human review. In Finance, the team used Codex to review 24,771 K-1 tax forms totaling 71,637 pages, using a workflow that excluded personal information and helped the team accelerate the task by two weeks compared to the prior year. On the Go-to-Market team, an employee automated generating weekly business reports, saving 5-10 hours a week.

In ChatGPT, GPT‑5.5 Thinking unlocks faster help for harder problems, with smarter and more concise answers to help you move through complex work more efficiently. It excels at professional work like coding, research, information synthesis and analysis, and document-heavy tasks, especially when using plugins.

In GPT‑5.5 Pro, early testers are seeing a significant step up in both the difficulty and quality of work ChatGPT can take on, with latency improvements that make it much more practical for demanding tasks. Compared to GPT‑5.4 Pro, testers found GPT‑5.5 Pro’s responses significantly more comprehensive, well-structured, accurate, relevant, and useful, with especially strong performance in business, legal, education, and data science.

GPT‑5.5 reaches state-of-the-art performance across multiple benchmarks that reflect this kind of work. On GDPval, which tests agents’ abilities to produce well-specified knowledge work across 44 occupations, GPT‑5.5 scores 84.9%. On OSWorld-Verified, which measures whether a model can operate real computer environments on its own, it reaches 78.7%. And on Tau2-bench Telecom, which tests complex customer-service workflows, it reaches 98.0% without prompt tuning. GPT‑5.5 also performs strongly across other knowledge work benchmarks: 60.0% on FinanceAgent, 88.5% on internal investment-banking modeling tasks, and 54.1% on OfficeQA Pro.

GPT‑5.5 also shows gains on scientific and technical research workflows, which require more than answering a hard question. Researchers need to explore an idea, gather evidence, test assumptions, interpret results, and decide what to try next. GPT‑5.5 is better at persisting across that loop than other models.

Notably, GPT‑5.5 shows a clear improvement over GPT‑5.4 on GeneBench, a new eval focusing on multi-stage scientific data analysis in genetics and quantitative biology. These problems require models to reason about potentially ambiguous or errorful data with minimal supervisory guidance, address realistic obstacles such as hidden confounders or QC failures, and correctly implement and interpret modern statistical methods. The model’s performance is striking in light of the fact that tasks here often correspond to multi-day projects for scientific experts.

Similarly, on BixBench, a benchmark designed around real-world bioinformatics and data analysis, GPT‑5.5 achieved leading performance among models with published scores. The model’s scientific capabilities are now strong enough to meaningfully accelerate progress at the frontiers of biomedical research as a bona fide co-scientist.

In another example, an internal version of GPT‑5.5 with a custom harness helped discover a new proof about Ramsey numbers, one of the central objects in combinatorics. Combinatorics studies how discrete objects fit together: graphs, networks, sets, and patterns. Ramsey numbers ask, roughly, how large a network has to be before some kind of order is guaranteed to appear. Results in this area are rare and often technically difficult. Here, GPT‑5.5 found a proof of a longstanding asymptotic fact about off-diagonal Ramsey numbers, later verified in Lean. The result is a concrete example of GPT‑5.5 contributing not just code or explanation, but a surprising and useful mathematical argument in a core research area.

Early testers used GPT‑5.5 Pro in ChatGPT less like a one-shot answer engine and more like a research partner: critiquing manuscripts over multiple passes, stress-testing technical arguments, proposing analyses, and working with code, notes, and PDF context. The common thread is that GPT‑5.5 is better at helping researchers move from question to experiment to output.

“It’s incredibly energizing to use OpenAI’s new GPT-5.5 model in our harness, have it reason over massive biochemical datasets to predict human drug outcomes, and then see it deliver significant accuracy gains on our hardest drug discovery evals. If OpenAI keeps cooking like this, the foundations of drug discovery will change by the end of the year.”

— Brandon White, Co-Founder & CEO at Axiom Bio

Serving GPT‑5.5 at GPT‑5.4 latency required rethinking inference as an integrated system, not a set of isolated optimizations. GPT‑5.5 was co-designed for, trained with, and served on NVIDIA GB200 and GB300 NVL72 systems. Codex and GPT‑5.5 were instrumental in how we achieved our performance targets. Codex helped the team move faster from idea to benchmarkable implementation, sketching approaches, wiring experiments, and helping identify which optimizations were worth deeper investment. GPT‑5.5 helped find and implement key improvements in the stack itself. Put simply, the model helped improve the infrastructure that serves it.

One such improvement was load balancing and partitioning heuristics. Before GPT‑5.5, we split requests on an accelerator into a fixed number of chunks to balance work across computing cores, ensuring big and small requests could run on the same GPU. However, a pre-determined number of static chunks is not optimal for all traffic shapes. To better utilize GPUs, Codex analyzed weeks’ worth of production traffic patterns and wrote custom heuristic algorithms to optimally partition and balance work. The effort had an outsized impact, increasing token generation speeds by over 20%.

Preparing the world for models that are very good at finding and patching security vulnerabilities is a team sport and will require the entire ecosystem to work hard to build resilience, with democratized model access and iterative deployment for the next era of cyber defense.

Frontier models are becoming increasingly more capable in cybersecurity. Those capabilities will become broadly distributed and we believe the best path forward is to make sure they can be put to use for accelerating cyber defense and strengthening the ecosystem.

GPT‑5.5 is an incremental but important step towards AI that can solve some of the world’s toughest challenges like cybersecurity. With GPT‑5.2 in December, we proactively deployed the necessary cyber safeguards to limit potential cyber abuse with our models; now with GPT‑5.5, we’re deploying stricter classifiers for potential cyber risk which some users may find annoying initially, as we tune them over time.

We’ve identified cybersecurity as a category in our Preparedness Framework for years as our models have incrementally improved, while we develop and calibrate mitigations iteratively, to be able to responsibly release models with meaningful cybersecurity capabilities.

We are deploying industry-leading safeguards for this level of cyber capability.

We first introduced cyber-specific safeguards with GPT‑5.2 last year, which we have continued to test, refine, and build on in subsequent deployments. For GPT‑5.5, we designed tighter controls around higher-risk activity, sensitive cyber requests, and added protections for repeated misuse. Broad access is made possible through our investments in model safety, authenticated usage, and monitoring for impermissible use. We have been working with external experts for months to develop, test and iterate on the robustness of these safeguards. With GPT‑5.5, we are ensuring developers can secure their code with ease, while putting stronger controls around the cyber workflows most likely to cause harm by malicious actors.

We are expanding access to accelerate cyber defense at every level.

We are making our cyber-permissive models available through Trusted Access for Cyber, starting with Codex, which includes expanded access to the advanced cybersecurity capabilities of GPT‑5.5 with fewer restrictions for verified users meeting certain trust signals at launch. Organizations who are responsible for defending critical infrastructure can apply to access cyber-permissive models like GPT‑5.4‑Cyber, while meeting strict security requirements to use these models for securing their internal systems. This gives a wide range of verified defenders more capable tools for legitimate security work with less unnecessary friction to ensure we democratize access to important defensive capabilities. Users can apply for trusted access at chatgpt.com/cyber to reduce unnecessary refusals while using GPT‑5.5 for verified defensive work.

We are working with government partners to help protect critical infrastructure for the public.

Together, we are exploring how advanced AI can support the defensive work of trusted officials responsible for systems people rely on, from the digital systems that secure important taxpayer data to the power grid and water supplies in local communities.

We are treating the biological/chemical and cybersecurity capabilities of GPT‑5.5 as High under our Preparedness Framework. While GPT‑5.5 didn’t reach Critical cybersecurity capability level, our evaluations and testing showed that its cybersecurity capabilities are a step up compared to GPT‑5.4.

In addition, GPT‑5.5 went through our full safety and governance process prior to release, including preparedness evaluations, domain-specific testing, new targeted evaluations for advanced biology and cybersecurity capabilities, and robust testing with external experts. We share more details in the GPT‑5.5 system card.

This work reflects our broader AI resilience approach, which we believe is needed as model capabilities advance. We want powerful AI to be available to the people using it to defend systems, institutions, and the public. The viable path is trusted access, robust safeguards that scale with capability, and the operational capacity to detect and respond to serious misuse.

Today, GPT‑5.5 is rolling out to Plus, Pro, Business, and Enterprise users in ChatGPT and Codex, and GPT‑5.5 Pro is rolling out to Pro, Business, and Enterprise users in ChatGPT. We'll bring GPT‑5.5 and GPT‑5.5 Pro to the API very soon.

In ChatGPT, GPT‑5.5 Thinking is available to Plus, Pro, Business, and Enterprise users. GPT‑5.5 Pro, designed for even harder questions and higher-accuracy work, is available to Pro, Business, and Enterprise users.

In Codex, GPT‑5.5 is available for Plus, Pro, Business, Enterprise, Edu, and Go plans with a 400K context window. GPT‑5.5 is also available in Fast mode, generating tokens 1.5x faster for 2.5x the cost.

For API developers, gpt-5.5 will soon be available in the Responses and Chat Completions APIs at $5 per 1M input tokens and $30 per 1M output tokens, with a 1M context window. Batch and Flex pricing are available at half the standard API rate, while Priority processing is available at 2.5x the standard rate. We will also release gpt-5.5-pro in the API for even higher accuracy, priced at $30 per 1M input tokens and $180 per 1M output tokens. See the pricing page for full details.

While GPT‑5.5 is priced higher than GPT‑5.4, it is both more intelligent and much more token efficient. In Codex, we have carefully tuned the experience so GPT‑5.5 delivers better results with fewer tokens than GPT‑5.4 for most users, while continuing to offer generous usage across subscription levels.

Original source

We’re introducing ChatGPT for Clinicians

We’re introducing ChatGPT for Clinicians, a version of ChatGPT designed to support clinical tasks like documentation and medical research so clinicians can focus on delivering high-quality patient care. We’re making it free for any verified physician, NP, PA, or pharmacist, starting in the U.S.

The U.S. healthcare system today is under extraordinary strain. Clinicians are being asked to care for more patients while managing growing administrative demands and a rapidly expanding body of medical research. Many are already turning to AI tools like ChatGPT for support. According to a 2026 survey by the American Medical Association (opens in a new window), physician use of AI is now at an all-time high, with 72% of physicians reporting they now use AI in clinical practice, up from 48% last year. Today, millions of clinicians worldwide use ChatGPT to support their clinical care every week, for applications like care consult, writing and documentation, and medical research. Clinician usage of ChatGPT has more than doubled over the past year.

As demand for AI in clinical settings grows, so does the responsibility to continuously improve our model’s performance and safety on clinical use cases and offer solutions that can safely and effectively support healthcare workflows. Earlier this year, we introduced ChatGPT for Healthcare, which allows organizations to deploy ChatGPT to clinicians, administrators, and researchers with the compliance and controls they need at scale. Clinicians across leading U.S. health systems are now using it to move faster through administrative work like medical research and documentation, and get time back for patient care.

Enabling free access to ChatGPT for Clinicians is the next step, in support of our mission to ensure AGI benefits all of humanity. Learn more on our website (opens in a new window) or get started (opens in a new window).

ChatGPT for Clinicians builds on our foundation of continual model evaluation and improvement in health in partnership with clinicians. With its release, we are also introducing HealthBench Professional (opens in a new window), an open benchmark for real clinician chat tasks across three use cases: care consult, writing and documentation, and medical research, building on HealthBench’s broader evaluation of health conversations.

“This version of ChatGPT is as close to an ideal clinical support partner as it gets. It’s like an on-demand consultant I can engage on everything from current guidelines to billing and coding, with the added benefit of broad access to pediatric and pediatric subspecialty literature.”

Designed for and with clinicians

Our team worked with hundreds of physician advisors to inform and improve capabilities for ChatGPT for Clinicians, and ensure they support key clinician use cases.

ChatGPT for Clinicians includes:

• Advanced AI models for complex clinical questions: Free access to our current frontier models for healthcare use cases—to help handle questions, research, and documentation more reliably.
• Skills for repeatable clinical workflows: Turn common workflows into reusable skills so ChatGPT can follow the same steps each time for tasks like referral letters, prior auth, and patient instructions.
• Trusted clinical search: Reason through cases faster and with greater confidence with real-time, cited answers based on evidence from millions of reputable, peer-reviewed medical sources.
• Deep research across medical journals: Delegate medical literature reviews to ChatGPT, set the sources you trust, steer the research if needed, and let it compile a comprehensive, well-cited report in minutes.
• CME from real clinical questions: As you research clinical questions in ChatGPT, eligible evidence review can automatically count toward continuing medical education credits—without separate courses or extra paperwork.
• Optional support for HIPAA compliance: Many clinical tasks don’t require PHI, but if needed, HIPAA support is available through a Business Associate Agreement (BAA) for eligible accounts.
• Account security and privacy: Conversations are not used to train models, plus protections like multi-factor authentication, help keep sensitive work secure.

Learn more about ChatGPT for Clinicians (opens in a new window) or get started (opens in a new window).

Continuing to evaluate and strengthen model health performance and safety

We are always improving the safety and accuracy of ChatGPT’s responses in health scenarios. OpenAI’s physician advisors continuously review model responses and provide feedback on quality, reasoning, trustworthiness, and safety. To date, they have reviewed more than 700,000 model responses that reflect how clinicians and patients may use ChatGPT in the real world; every few minutes a new model response is reviewed by a physician.

OpenAI’s models rank as the top-performing systems for real-world healthcare use on third party evaluations like Stanford’s MedHELM (opens in a new window) and MedMarks (opens in a new window). ChatGPT for Clinicians builds on models like GPT‑5.4, which outperform other models on OpenAI’s HealthBench.

That rigor also shaped the development of ChatGPT for Clinicians. Before release, physician advisors tested 6,924 conversations in their daily work across clinical care, documentation, and research. Overall, physicians rated 99.6% of responses as safe and accurate. On a subset of 355 examples where for each, three independent physicians specified ground-truth citations, ChatGPT for Clinicians cited those sources more often than human physicians. Even so, ChatGPT for Clinicians is designed to support clinicians with information, not replace their judgment or expertise.

Today, we are also introducing HealthBench Professional (opens in a new window), an open benchmark for real clinician chat tasks across three use cases: care consult, writing and documentation, and medical research. Building on HealthBench’s broader evaluation of health conversations, it uses physician-authored conversations and rubrics, multi-stage physician adjudication, and careful data filtering to measure performance and safety in common clinician chats.

HealthBench Professional examples were chosen for their quality, representativeness, and difficulty to enable continued measurement of progress. About a third of examples involved physicians deliberately “red teaming,” or trying to find issues in our models, and across the dataset we selected for the most difficult conversations for our models by a factor of 3.5x.

We report results in ChatGPT for Clinicians and across models. As a strong baseline, we asked human physicians to produce their own responses for tasks in their specialty, with unbounded time and web access. We found that GPT‑5.4 in the ChatGPT for Clinicians workspace outperforms base GPT‑5.4, all other OpenAI and external models, and human physicians.

We hope HealthBench Professional supports the community in measuring and further improving AI systems that can help clinicians deliver better care. Learn more via the paper (opens in a new window) or download the dataset (opens in a new window).

Global access

The free version of ChatGPT for Clinicians is currently available to verified U.S. physicians, NPs, PAs and pharmacists.

We plan to expand access to additional countries and groups over time. In the coming months, we’ll begin by working with the Better Evidence Network to pilot access for verified clinicians outside the United States, as permitted by local regulations.

Improving human health will be one of the defining impacts of AI—but realizing that potential will require close collaboration across health systems, clinicians, patients, regulators, and technology companies worldwide. Alongside these updates we’re also releasing a Health Blueprint (opens in a new window) that offers recommendations for the responsible integration of AI in healthcare in the U.S. We look forward to evolving these products with feedback, and partnering with the medical community to help AI realize its full potential in health.

Learn more on our website (opens in a new window).

Original source

Our state of the art model for masking personally identifiable information (PII) in text

Today we’re releasing OpenAI Privacy Filter, an open-weight model for detecting and redacting personally identifiable information (PII) in text. This release is part of our broader effort to support a more resilient software ecosystem by providing developers practical infrastructure for building with AI safely, including tools and models that make strong privacy and security protections easier to implement from the start.

Privacy Filter is a small model with frontier personal data detection capability. It is designed for high-throughput privacy workflows, and is able to perform context-aware detection of PII in unstructured text. It can run locally, which means that PII can be masked or redacted without leaving your machine. It processes long inputs efficiently, making redaction decisions in a quick, single pass.

At OpenAI, we use a fine-tuned version of Privacy Filter in our own privacy-preserving workflows. We developed Privacy Filter because we believe that with the latest AI capabilities, we could raise the standard for privacy beyond what was already on the market. The version of Privacy Filter we are releasing today achieves state-of-the-art performance on the PII-Masking-300k benchmark, when corrected for annotation issues we identified during evaluation.

With this release, developers can run Privacy Filter in their own environments, fine tune it to their own use cases, and build stronger privacy protections into training, indexing, logging, and review pipelines.

A small model with frontier personal data detection capability

Privacy protection in modern AI systems depends on more than pattern matching. Traditional PII detection tools often rely on deterministic rules for formats like phone numbers and email addresses. They can work well for narrow cases, but they often miss more subtle personal information and struggle with context.

Privacy Filter is built with deeper language and context awareness for more nuanced performance. By combining strong language understanding with a privacy-specific labeling system, it can detect a wider range of PII in unstructured text, including cases where the right decision depends on context. It can better distinguish between information that should be preserved because it is public, and information that should be masked or redacted because it relates to a private individual.

The result is a model that is strong enough to deliver frontier-level privacy filtering performance. At the same time, the model is small enough to be run locally–meaning data that has yet to be filtered can remain on device, with less risk of exposure, rather than needing to be sent to a server for de-identification.

Model overview

Privacy Filter is a bidirectional token-classification model with span decoding. It begins from an autoregressive pretrained checkpoint and is then adapted into a token classifier over a fixed taxonomy of privacy labels. Instead of generating text token by token, it labels an input sequence in one pass and then decodes coherent spans with a constrained Viterbi procedure.

This architecture gives Privacy Filter a few useful properties for production use:

• Fast and efficient: all tokens are labeled in a single forward pass.
• Context aware: the language prior enables PII spans to be detected based on surrounding context.
• Long-context: the released model supports up to 128,000 tokens of context.
• Configurable: developers can tune operating points to trade off recall and precision depending on their workflow.

The released model has 1.5B total parameters with 50M active parameters.

Privacy Filter predicts spans across eight categories:

• private_person
• private_address
• private_email
• private_phone
• private_url
• private_date
• account_number
• secret

The account_number category helps mask a wide variety of account numbers, including banking info like credit card numbers and bank account numbers, while secret helps mask things like passwords and API keys.

These labels are decoded with BIOES span tags, which helps produce cleaner and more coherent masking boundaries.

Example input text

Subject: Q2 Planning Follow-Up
Hi Jordan,
Thanks again for meeting earlier today. I wanted to follow up with the revised timeline for the Q2 rollout and confirm that the product launch is scheduled for September 18, 2026. For reference, the project file is listed under 4829-1037-5581. If anything changes on your side, feel free to reply here at [email protected] or call me at +1 (415) 555-0124.
Best,
Maya Chen

Text after masking personal identifiers

Subject: Q2 Planning Follow-Up
Hi [PRIVATE_PERSON],
Thanks again for meeting earlier today. I wanted to follow up with the revised timeline for the Q2 rollout and confirm that the product launch is scheduled for [PRIVATE_DATE]. For reference, the project file is listed under [ACCOUNT_NUMBER]. If anything changes on your side, feel free to reply here at [PRIVATE_EMAIL] or call me at [PRIVATE_PHONE].
Best,
[PRIVATE_PERSON]

How we built it

We developed Privacy Filter in several stages.

First, we built a privacy taxonomy that defines the types of spans the model should detect. This includes personal identifiers, contact details, addresses, private dates, many different kinds of account numbers such as credit and banking information, and secrets such as API keys and passwords.

Second, we converted a pretrained language model into a bidirectional token classifier by replacing the language modeling head with a token-classification head and post-training it with a supervised classification objective.

Third, we trained on a mixture of publicly available and synthetic data designed to capture both realistic text and difficult privacy patterns. In parts of the public data where labels were incomplete, we used model-assisted annotation and review to improve coverage. We also generated synthetic examples to increase diversity across formats, contexts, and privacy subtypes.

At inference time, the model's token-level predictions are decoded into coherent spans using constrained sequence decoding. This approach preserves the broad language understanding of the pretrained model while specializing it for privacy detection.

How Privacy Filter performs

We evaluated Privacy Filter on standard benchmarks and on additional synthetic and chat-style evaluations designed to test harder, more context-sensitive cases.

On the PII-Masking-300k benchmark, Privacy Filter achieves an F1 score of 96% (94.04% precision and 98.04% recall). On a corrected version of the benchmark that accounts for dataset annotation issues identified during review, the F1 score is 97.43% (96.79% precision and 98.08% recall).

We also found that the model can be adapted efficiently. Fine-tuning on even a small amount of data quickly improves accuracy on domain-specific tasks, increasing F1 score from 54% to 96% and approaches saturation on the domain-adaption benchmark we evaluated.

Beyond benchmark performance, Privacy Filter is designed for practical privacy filtering in noisy, real-world text. That includes long documents, ambiguous references, mixed-format strings, and software-related secrets. The model card also reports targeted evaluation on secret detection in codebases and stress tests across multilingual, adversarial, and context-dependent examples.

Limitations

Privacy Filter is not an anonymization tool, a compliance certification, or a substitute for policy review in high-stakes settings. It is one component in a broader privacy-by-design system.

Its behavior reflects the label taxonomy and decision boundaries it was trained on. Different organizations may want different detection or masking policies, and those policies may require in-domain evaluation or further fine-tuning. Performance may also vary across languages, scripts, naming conventions, and domains that differ from the training distribution.

Like all models, Privacy Filter can make mistakes. It can miss uncommon identifiers or ambiguous private references, and it can over- or under-redact entities when context is limited, especially in short sequences. In high-sensitivity domains such as legal, medical, and financial workflows, human review and domain-specific evaluation and fine-tuning remain important.

Availability

We are releasing OpenAI Privacy Filter to support stronger privacy protections across the ecosystem.

The model is available today under the Apache 2.0 license on Hugging Face and Github. It is intended for experimentation, customization, and commercial deployment, and it can be fine-tuned for different data distributions and privacy policies.

Alongside the model, we are sharing documentation covering the model architecture, label taxonomy, decoding controls, intended use cases, evaluation setup, and known limitations, so teams can understand both what the model does well and where it should be used carefully.

Looking ahead

Privacy protection for AI systems is an ongoing effort across research, product design, evaluation, and deployment.

Privacy Filter reflects one direction we believe is important: small, efficient models with frontier capability in narrowly defined tasks that matter for real-world AI systems. We are releasing it because we think privacy-preserving infrastructure should be easier to inspect, run, adapt, and improve.

Our goal is for models to learn about the world, not about private individuals. Privacy Filter helps make that possible.

We’re releasing this preview of Privacy Filter to receive feedback from the research and privacy community and iterate further on model performance.

Original source