Weaponized AI risk is 'high,' warns OpenAI - here's the plan to stop it

Samuel Boivin/NurPhoto via Getty Images

Follow ZDNET: Add america arsenic a preferred source on Google.

ZDNET's cardinal takeaways

• OpenAI launched initiatives to safeguard AI models from abuse.
• AI cyber capabilities assessed done capture-the-flag challenges improved successful 4 months.
• The OpenAI Preparedness Framework whitethorn assistance way the information risks of AI models.

OpenAI is informing that the accelerated improvement of cyber capabilities successful artificial quality (AI) models could effect successful "high" levels of hazard for the cybersecurity manufacture astatine large, and truthful enactment is being taken present to assistance defenders. 

As AI models, including ChatGPT, proceed to beryllium developed and released, a occupation has emerged. As with galore types of technology, AI tin beryllium utilized to payment others, but it tin besides beryllium abused -- and successful the cybersecurity sphere, this includes weaponizing AI to automate brute-force attacks, make malware oregon believable phishing content, and refine existing codification to marque cyberattack chains much efficient. 

(Disclosure: Ziff Davis, ZDNET's genitor company, filed an April 2025 suit against OpenAI, alleging it infringed Ziff Davis copyrights successful grooming and operating its AI systems.)

In caller months, atrocious actors have utilized AI to propagate their scams done indirect punctual injection attacks against AI chatbots and AI summary functions successful browsers; researchers person recovered AI features diverting users to malicious websites, AI assistants are processing backdoors and streamlining cybercriminal workflows, and information experts have warned against trusting AI excessively overmuch with our data. 

Also: Gartner urges businesses to 'block each AI browsers' - what's down the dire warning

The dual quality (as Open AI calls it) of AI models, however, means that AI tin besides beryllium leveraged by defenders to refine protective systems, to make tools to place threats, to perchance bid oregon thatch quality specialists, and to enarthrosis the task of time-consuming, reptitive tasks specified arsenic alert triage, which frees up the clip of cybersecurity unit for much invaluable projects. 

The existent landscape

According to OpenAI, the capabilities of AI systems are advancing astatine a accelerated rate. 

For example, capture-the-flag (CTF) challenges, traditionally utilized to trial cybersecurity capabilities successful trial environments and aimed astatine uncovering hidden "flags," are present being utilized to measure the cyber capabilities of AI models. OpenAI said they person improved from 27% occurrence rates connected GPT‑5 successful August 2025 to 76% connected GPT‑5.1-Codex-Max⁠ successful November 2025 -- a notable summation successful a play of lone 4 months. 

Also: AI agents are already causing disasters - and this hidden menace could derail your harmless rollout

The minds down ChatGPT said they expect AI models to proceed connected this trajectory, which would springiness them "high" levels of cyber capability. OpenAI said this classification means that models "can either make moving zero-day distant exploits against well-defended systems, oregon meaningfully assistance with complex, stealthy endeavor oregon concern intrusion operations aimed astatine real-world effects."

Managing and assessing whether AI capabilities volition bash harm oregon good, however, is nary elemental task -- but 1 that OpenAI hopes to tackle with initiatives including the Preparedness Framework (.PDF). 

OpenAI Preparedness Framework

The Preparedness Framework, past updated successful April 2025, outlines OpenAI's attack to balancing AI defence and risk. While it isn't new, the model does supply the operation and usher for the enactment to travel -- and this includes wherever it invests successful menace defense. 

Three categories of risk, and those that could pb to "severe harm," are presently the superior focus. These are:

• Biological and chemic capabilities: The equilibrium betwixt new, beneficial aesculapian and biologic discoveries and those that could pb to biologic oregon chemic limb development.
• Cybersecurity capabilities: How AI tin assistance defenders successful protecting susceptible systems, portion besides creating a caller onslaught aboveground and malicious tools. 
• AI self-improvement capabilities: How AI could beneficially heighten its ain capabilities -- oregon make power challenges for america to face.  

The precedence class appears to beryllium cybersecurity astatine present, oregon astatine slightest the astir publicized. In immoderate case, the framework's intent is to place hazard factors and support a menace exemplary with measurable thresholds that bespeak erstwhile AI models could origin terrible harm. 

Also: How good does ChatGPT cognize me? This elemental punctual revealed a batch - effort it for yourself

"We won't deploy these precise susceptible models until we've built safeguards to sufficiently minimize the associated risks of terrible harm," OpenAI said successful its model manifest. "This Framework lays retired the kinds of safeguards we expect to need, and however we'll corroborate internally and amusement externally that the safeguards are sufficient."

OpenAI's latest information measures

OpenAI said it is investing heavy successful strengthening its models against abuse, arsenic good arsenic making them much utile for defenders. Models are being hardened, dedicated menace quality and insider hazard programs person been launched, and its systems are being trained to observe and garbage malicious requests. (This, successful itself, is simply a challenge, considering menace actors tin enactment and punctual arsenic defenders to effort and make output aboriginal utilized for transgression activity.)

"Our extremity is for our models and products to bring important advantages for defenders, who are often outnumbered and under-resourced," OpenAI said. "When enactment appears unsafe, we whitethorn artifact output, way prompts to safer oregon little susceptible models, oregon escalate for enforcement."

The enactment is besides moving with Red Team providers to measure and amended its information measures, and arsenic Red Teams enactment offensively, it is hoped they tin observe antiaircraft weaknesses for remediation -- earlier cybercriminals do.

Also: AI's scary caller trick: Conducting cyberattacks alternatively of conscionable helping out

OpenAI is acceptable to motorboat a "trusted entree program" that grants a subset of users oregon partners entree to trial models with "enhanced capabilities" linked to cyberdefense, but it volition beryllium intimately controlled.

"We're inactive exploring the close bound of which capabilities we tin supply wide entree to and which ones necessitate tiered restrictions, which whitethorn power the aboriginal plan of this program," the institution noted. "We purpose for this trusted entree programme to beryllium a gathering artifact towards a resilient ecosystem."

Furthermore, OpenAI has moved Aardvark, a information researcher agent, into backstage beta. This volition apt beryllium of involvement to cybersecurity researchers, arsenic the constituent of this strategy is to scan codebases for vulnerabilities and supply spot guidance. According to OpenAI, Aardvark has already identified "novel" CVEs successful unfastened root software.

Finally, a caller collaborative advisory radical volition beryllium established successful the adjacent future. Dubbed the Frontier Risk Council, this radical volition see information practitioners and partners who volition initially absorption connected the cybersecurity implications of AI and associated practices and recommendations, but the assembly volition besides yet grow to see the different categories outlined successful the OpenAI Preparedness Framework successful the future.

What tin we expect successful the agelong term?

We person to dainty AI with caution, and this includes implementing AI and LLMs not lone into our idiosyncratic lives, but besides limiting the vulnerability of AI-based information risks successful business. For example, probe steadfast Gartner recently warned organizations to debar oregon artifact AI browsers wholly owed to information concerns, including punctual injection attacks and information exposure.

We request to retrieve that AI is simply a tool, albeit a caller and breathtaking one. New technologies each travel with risks -- arsenic OpenAI intelligibly knows, considering its absorption connected the cybersecurity challenges associated with what has go the astir fashionable AI chatbot worldwide -- and truthful immoderate of its applications should beryllium treated successful the aforesaid mode arsenic immoderate different caller technological solution: with an appraisal of its risks, alongside imaginable rewards.