OpenAI rated GPT-4o as a medium risk for helping people create biological, chemical, nuclear, or radiological weapons and for assisting cyberattacks, meaning it was cleared for release but with conditions and ongoing monitoring.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The Preparedness Framework risk classification establishes the internal governance threshold at which OpenAI authorized GPT-4o's release, and the document's acknowledgment of a 'medium' rating in CBRN and cybersecurity categories means residual uplift risk was accepted as part of deployment.
Interpretive note: The exact verbatim language of the Preparedness Framework risk rating was not fully rendered in the truncated document text; the characterization is based on the document's stated summary and description of findings.
Consumers and operators using GPT-4o should be aware that the model was assessed as presenting a medium-level risk of providing assistance in CBRN and cybersecurity attack contexts, and that OpenAI's mitigations are designed to reduce but not eliminate this risk.
Cross-platform context
See how other platforms handle Preparedness Framework Risk Classification and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"We have evaluated GPT-4o according to our Preparedness Framework and determined that it falls at medium risk for CBRN and cybersecurity. This means deployment is authorized under our framework, with ongoing monitoring and post-deployment mitigation updates required.— Excerpt from OpenAI's GPT-4o System Card (PDF)
REGULATORY LANDSCAPE: The Preparedness Framework is an internal OpenAI governance instrument, not a legally mandated risk assessment framework. However, the EU AI Act's provisions on general-purpose AI models with systemic risk require providers to conduct and document adversarial testing and risk assessments, and this disclosure may serve as partial evidence of compliance with those obligations. The FTC has authority over unfair or deceptive practices and could evaluate whether published risk ratings accurately represent model capabilities. GOVERNANCE EXPOSURE: Medium. The explicit acknowledgment of a 'medium' CBRN and cybersecurity risk rating, combined with the statement that deployment was authorized subject to ongoing monitoring, creates a documented governance record that institutional operators should assess against their own risk thresholds. The framework does not establish an external audit or third-party verification mechanism. JURISDICTION FLAGS: EU and EEA deployments face heightened scrutiny under the EU AI Act's systemic risk provisions for general-purpose AI models. US federal contractors or regulated sector operators may face additional requirements beyond OpenAI's internal Preparedness Framework findings. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams integrating GPT-4o into sensitive or regulated workflows should assess whether OpenAI's internal 'medium' risk authorization is sufficient for their contractual or regulatory obligations. The document does not indicate that third-party auditors validated the Preparedness Framework assessment. COMPLIANCE CONSIDERATIONS: Legal teams should evaluate whether the Preparedness Framework's methodology and findings satisfy any applicable AI risk assessment requirements in the jurisdictions where GPT-4o is deployed, particularly under the EU AI Act's forthcoming GPAI codes of practice.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The Preparedness Framework risk classification establishes the internal governance threshold at which OpenAI authorized GPT-4o's release, and the document's acknowledgment of a 'medium' rating in CBRN and cybersecurity categories means residual uplift risk was accepted as part of deployment.
Consumers and operators using GPT-4o should be aware that the model was assessed as presenting a medium-level risk of providing assistance in CBRN and cybersecurity attack contexts, and that OpenAI's mitigations are designed to reduce but not eliminate this risk.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.