OpenAI tested whether GPT-4o could help people conduct cyberattacks and rated it as a medium-level risk, meaning it was approved for release but with safety measures in place and continued monitoring.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The medium cybersecurity risk rating indicates that OpenAI determined GPT-4o provides some level of capability relevant to cyberattack assistance, and that deployment was authorized on the basis that mitigations reduce but do not eliminate this risk, which is relevant for enterprises and critical infrastructure operators evaluating the model.
Interpretive note: The exact verbatim Preparedness Framework cybersecurity rating language was not fully reproduced in the truncated document text; this characterization is based on the document's stated summary findings.
Enterprises and security-sensitive organizations using GPT-4o should be aware that the system card's cybersecurity assessment acknowledges residual risk of the model providing assistance with vulnerability discovery or social engineering, and should implement appropriate access controls and monitoring in their deployments.
How other platforms handle this
YOU MUST BE AND HEREBY AFFIRM THAT YOU ARE AN ADULT OF THE LEGAL AGE OF MAJORITY IN YOUR COUNTRY OR STATE OF RESIDENCE. If you are under the legal age of majority, your parent or legal guardian must consent to this agreement.
If you are a California resident, you may have certain rights under the California Consumer Privacy Act (CCPA). These rights may include: the right to know about personal information collected, disclosed, or sold; the right to delete personal information collected from you; the right to opt-out of t...
Our generative AI services are not directed at children. If you are under the applicable age of majority in your jurisdiction, you may only use these services with parental or guardian consent and supervision, subject to any additional restrictions set out in our family policies.
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"GPT-4o was evaluated for its potential to provide meaningful uplift to individuals seeking to conduct cyberattacks, including vulnerability discovery, exploit development, and social engineering assistance. The Preparedness Framework assessment rated this category as medium risk, with deployment authorized subject to mitigations and ongoing monitoring.— Excerpt from OpenAI's GPT-4o System Card (PDF)
REGULATORY LANDSCAPE: The Cybersecurity and Infrastructure Security Agency (CISA) and sector-specific regulators in financial services, healthcare, and critical infrastructure may evaluate AI systems' cybersecurity risk profiles as part of their oversight functions. The EU AI Act's provisions on general-purpose AI with systemic risk include cybersecurity assessment obligations. The NIST AI Risk Management Framework provides voluntary guidance on cybersecurity risk evaluation for AI systems. GOVERNANCE EXPOSURE: Medium. The Preparedness Framework's medium rating acknowledges that GPT-4o can provide some cybersecurity uplift, and the reliance on behavioral restrictions rather than architectural elimination of these capabilities means that adversarial prompting may partially circumvent mitigations. JURISDICTION FLAGS: Critical infrastructure operators in the EU face heightened obligations under the NIS2 Directive and EU AI Act. US federal contractors and regulated sector operators should evaluate whether their AI procurement policies require independent cybersecurity risk assessments beyond OpenAI's internal Preparedness Framework findings. CONTRACT AND VENDOR IMPLICATIONS: Enterprises should review their API agreements with OpenAI regarding liability allocation if the model is used to facilitate a cyberattack, and should assess whether OpenAI's security commitments satisfy applicable vendor risk management requirements. COMPLIANCE CONSIDERATIONS: Security teams should implement monitoring for GPT-4o API usage patterns consistent with cyberattack assistance (such as vulnerability queries or social engineering script generation) and should evaluate whether deployment in security-sensitive contexts requires additional safeguards beyond OpenAI's baseline restrictions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The medium cybersecurity risk rating indicates that OpenAI determined GPT-4o provides some level of capability relevant to cyberattack assistance, and that deployment was authorized on the basis that mitigations reduce but do not eliminate this risk, which is relevant for enterprises and critical infrastructure operators evaluating the model.
Enterprises and security-sensitive organizations using GPT-4o should be aware that the system card's cybersecurity assessment acknowledges residual risk of the model providing assistance with vulnerability discovery or social engineering, and should implement appropriate access controls and monitoring in their deployments.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.