Most AI safety announcements are vague on what actually changes. This one isn’t. OpenAI just shipped a tiered access system for security work, and the new GPT-5.5-Cyber model sitting at the top of that ladder is the most permissive cyber-capable model they’ve released to date. If you do offensive security, defensive engineering, or anything in between, the next 90 days are going to look different.
I’ve been tracking how frontier labs handle dual-use security capabilities for a while. The usual approach is “block everything that smells like an exploit.” That works until it doesn’t. Real defenders need to validate exploits. They need to write proof-of-concepts. They need to actually test the things they’re protecting. The new structure tries to thread that needle without giving the same powers to a random account that signed up yesterday.
Three Access Tiers, Different Realities
The new structure has three layers. They look similar on paper. They behave very differently when you actually run security prompts through them.
- GPT-5.5 (default). Standard safeguards. General-purpose use. If you ask it to write an exploit, it refuses. Most users will never need anything else.
- GPT-5.5 with Trusted Access for Cyber (TAC). Available to verified defenders. Loosened classifier-based refusals for legitimate defensive work. Vulnerability triage, malware analysis, detection engineering, patch validation. Still blocks credential theft, persistence, and exploitation of third-party systems.
- GPT-5.5-Cyber. Limited preview. Most permissive behavior. Built for authorized red teaming, penetration testing, and controlled validation. Requires stronger verification and account-level controls.
The differences become obvious the moment you compare actual outputs. OpenAI’s own example: ask GPT-5.5 to build a proof-of-concept for a published CVE, you get refused. Ask GPT-5.5 with TAC for the same thing, you get a working PoC with documented exploitation steps and mitigations. Ask GPT-5.5-Cyber to actually run that exploit against a live target? It does it.
That last one is what makes this release interesting. And what makes it controversial.
How the Verification Actually Works
This is the part that matters. You don’t just enable a setting and get cyber-permissive behavior. There’s an identity and trust framework underneath.
Individual users have to verify identity at chatgpt.com/cyber. Starting June 1, 2026, anyone with TAC access to the more permissive models has to enable Advanced Account Security. That means phishing-resistant authentication. Hardware keys. Real protection, not just a password.
Organizations can attest that their SSO already uses phishing-resistant auth, which is the cleaner path for most enterprises.
Why this matters: an attacker who phishes a TAC-approved account could theoretically get a model that’s willing to help build exploits. The Advanced Account Security requirement closes that door. It’s the kind of detail that gets missed in coverage but matters in practice.
The Performance Numbers Are Less Dramatic Than You’d Think
Here’s a thing that’ll surprise people. GPT-5.5-Cyber is barely better than regular GPT-5.5 on benchmarks. On CyberGym, GPT-5.5-Cyber scored 81.9%. Plain GPT-5.5 scored 81.8%. Statistical noise.
OpenAI says the quiet part out loud in their post: “The initial preview of cyber-permissive models like GPT-5.5-Cyber is not intended to significantly increase cyber capability beyond GPT-5.5. It’s primarily trained to be more permissive on security-related tasks.”
That’s worth absorbing. The new model isn’t smarter. It just refuses less. Which means for most teams, GPT-5.5 with TAC is genuinely the right starting point. Save the cyber-tier model for the narrow workflows where you keep hitting refusals on legitimate work.
The Partner Ecosystem Is Where This Gets Real
OpenAI didn’t ship this alone. The launch partners list is who you’d want it to be if you were building an actual security flywheel:
- Network and security: Cisco, CrowdStrike, Palo Alto Networks, Zscaler, Cloudflare, Akamai, Fortinet
- Vulnerability research: Intel, Qualys, Rapid7, Tenable, Trail of Bits, SpecterOps
- Detection and monitoring: SentinelOne, Okta, Netskope
- Software supply chain: Snyk, Gen Digital, Semgrep, Socket
That’s basically a who’s who of enterprise security. The framing OpenAI uses is a “security flywheel” where each layer reinforces the others. Researchers find vulnerabilities. Supply chain tools stop bad dependencies. EDR vendors detect exploitation. Network providers deploy WAF mitigations. Each layer feeds the next.
Will every partner ship something useful? Probably not. But the surface area here is wide enough that some real wins are likely.
Codex Security and the Open Source Bet
Easy to overlook in this announcement: Codex Security. Open source is where vulnerabilities spread fastest. So OpenAI is investing upstream with maintainers.
Codex Security builds codebase-specific threat models. Explores realistic attack paths. Validates issues in isolated environments. Proposes patches for human review. There’s also a Codex Security plugin that brings the workflow into the Codex app or CLI.
Through Codex for Open Source, selected maintainers of critical projects can get conditional access to Codex Security plus API credits. The implicit bet: if you arm maintainers of upstream packages with better tooling, you reduce the supply chain attacks that have plagued every major incident in the last two years. Including the recent axios compromise that some of these partners are explicitly testing against.
What I’d Watch in the Next 90 Days
A few things on my radar:
- The TAC verification process. How long does identity verification actually take? If approval drags weeks, this won’t get adopted at scale. If it’s fast and well-built, expect heavy uptake.
- Misuse incidents. Someone is going to phish a TAC-approved account or socially engineer an org into approving the wrong person. How OpenAI handles the first public misuse case will tell us a lot about whether this framework holds up.
- The first real GPT-5.5-Cyber red team report. OpenAI promised a technical deep-dive on alpha testing where the model was used for automated red-teaming of critical systems. That document is going to matter.
- Anthropic’s response. Claude is widely used in security research already. Whether Anthropic builds a similar tiered access model in the next quarter is going to shape the whole defender ecosystem.
- Regulatory reaction. Cyber-permissive AI is going to attract attention from governments. Watch for guidance from CISA and equivalent bodies in Europe within six months.
The Bigger Story
The framing in OpenAI’s announcement is “democratizing AI-powered defense.” That’s marketing language. The actual story is more nuanced. AI capabilities that help defenders inherently help attackers too. The only real question is who gets the capability first and under what guardrails.
What OpenAI is trying to do with GPT-5.5-Cyber is build a system where verified defenders get capability faster than malicious actors can phish their way to it. Whether that holds up in the wild is the experiment.
The cyber-permissive model isn’t significantly more capable than the regular one. The verification framework around it is what’s actually new. If that framework works, this becomes the template every frontier lab follows. If it gets compromised early, the whole “tiered access” approach gets questioned.
Either way, if you run a security team, the action is clear: get someone on your team verified for TAC this week. The defenders who adapt fastest get the asymmetric advantage. The ones who wait will be playing catch-up six months from now.
https://openai.com/index/gpt-5-5-with-trusted-access-for-cyber
