OpenAI tested whether GPT-4o could help people conduct cyberattacks and rated it as a medium-level risk, meaning it was approved for release but with safety measures in place and continued monitoring.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The medium cybersecurity risk rating indicates that OpenAI determined GPT-4o provides some level of capability relevant to cyberattack assistance, and that deployment was authorized on the basis that mitigations reduce but do not eliminate this risk, which is relevant for enterprises and critical infrastructure operators evaluating the model.
Interpretive note: The exact verbatim Preparedness Framework cybersecurity rating language was not fully reproduced in the truncated document text; this characterization is based on the document's stated summary findings.
Enterprises and security-sensitive organizations using GPT-4o should be aware that the system card's cybersecurity assessment acknowledges residual risk of the model providing assistance with vulnerability discovery or social engineering, and should implement appropriate access controls and monitoring in their deployments.
How other platforms handle this
We have implemented appropriate technical and organizational security measures designed to protect the security of any Personal Information we process. However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technolo...
To the maximum extent permitted by applicable law, Kit shall not be liable for any indirect, incidental, special, consequential or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses, resulting ...
THE SERVICES ARE PROVIDED 'AS IS' AND 'AS AVAILABLE' WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. GRAMMARLY DOES NOT WARRANT THAT THE SERVICES WILL BE UN...
Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"GPT-4o was evaluated for its potential to provide meaningful uplift to individuals seeking to conduct cyberattacks, including vulnerability discovery, exploit development, and social engineering assistance. The Preparedness Framework assessment rated this category as medium risk, with deployment authorized subject to mitigations and ongoing monitoring.— Excerpt from OpenAI's GPT-4o System Card (PDF)
REGULATORY LANDSCAPE: The Cybersecurity and Infrastructure Security Agency (CISA) and sector-specific regulators in financial services, healthcare, and critical infrastructure may evaluate AI systems' cybersecurity risk profiles as part of their oversight functions. The EU AI Act's provisions on general-purpose AI with systemic risk include cybersecurity assessment obligations. The NIST AI Risk Management Framework provides voluntary guidance on cybersecurity risk evaluation for AI systems. GOVERNANCE EXPOSURE: Medium. The Preparedness Framework's medium rating acknowledges that GPT-4o can provide some cybersecurity uplift, and the reliance on behavioral restrictions rather than architectural elimination of these capabilities means that adversarial prompting may partially circumvent mitigations. JURISDICTION FLAGS: Critical infrastructure operators in the EU face heightened obligations under the NIS2 Directive and EU AI Act. US federal contractors and regulated sector operators should evaluate whether their AI procurement policies require independent cybersecurity risk assessments beyond OpenAI's internal Preparedness Framework findings. CONTRACT AND VENDOR IMPLICATIONS: Enterprises should review their API agreements with OpenAI regarding liability allocation if the model is used to facilitate a cyberattack, and should assess whether OpenAI's security commitments satisfy applicable vendor risk management requirements. COMPLIANCE CONSIDERATIONS: Security teams should implement monitoring for GPT-4o API usage patterns consistent with cyberattack assistance (such as vulnerability queries or social engineering script generation) and should evaluate whether deployment in security-sensitive contexts requires additional safeguards beyond OpenAI's baseline restrictions.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The medium cybersecurity risk rating indicates that OpenAI determined GPT-4o provides some level of capability relevant to cyberattack assistance, and that deployment was authorized on the basis that mitigations reduce but do not eliminate this risk, which is relevant for enterprises and critical infrastructure operators evaluating the model.
Enterprises and security-sensitive organizations using GPT-4o should be aware that the system card's cybersecurity assessment acknowledges residual risk of the model providing assistance with vulnerability discovery or social engineering, and should implement appropriate access controls and monitoring in their deployments.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.