The card discloses that GPT-5 demonstrated capabilities in the CBRN domain during evaluation that resulted in a 'medium' Preparedness Framework rating, with deployment proceeding under defined mitigations for this category.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The CBRN capability disclosure is operationally significant for deployers in research, government, and critical infrastructure sectors, as residual CBRN-relevant capabilities may interact with export control, dual-use research, and national security frameworks that create obligations independent of OpenAI's internal mitigation measures.
Interpretive note: The exact verbatim CBRN rating language could not be extracted due to document truncation; this provision reflects the disclosed content described in the document metadata and available text.
The document discloses that GPT-5 has residual CBRN-relevant capabilities that are subject to trained mitigations, meaning that requests in this domain may be refused or constrained regardless of operator configuration.
Cross-platform context
See how other platforms handle CBRN Capability Disclosure and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"GPT-5 received a 'medium' rating under the CBRN (chemical, biological, radiological, nuclear) category of OpenAI's Preparedness Framework, indicating residual capability in providing information relevant to weapons of mass destruction scenarios.— Excerpt from OpenAI's OpenAI GPT-5 System Card
1) REGULATORY LANDSCAPE: CBRN capability disclosures engage U.S. Export Administration Regulations (EAR) administered by the Department of Commerce Bureau of Industry and Security (BIS), dual-use research of concern policies, and potentially the Biological Weapons Anti-Terrorism Act. EU deployers may also need to assess whether CBRN-relevant AI capabilities trigger export control notifications under the EU Dual-Use Regulation. The card does not assert compliance with these frameworks. 2) GOVERNANCE EXPOSURE: High. The disclosure of 'medium' CBRN capability ratings creates documentation obligations for regulated deployers and may require internal risk assessments before deployment in research, government, or healthcare contexts where CBRN-relevant queries could be expected. 3) JURISDICTION FLAGS: U.S. government and defense-adjacent deployers face heightened exposure given BIS dual-use oversight. Academic research institutions should assess whether GPT-5 CBRN capabilities interact with institutional dual-use research policies. EU deployers should evaluate the Dual-Use Regulation applicability. 4) CONTRACT AND VENDOR IMPLICATIONS: Government and regulated-sector procurement contracts should specify that OpenAI will provide timely notification of any change in the CBRN Preparedness Framework rating and whether mitigation updates are applied automatically to deployed instances. 5) COMPLIANCE CONSIDERATIONS: Deployers in research or government contexts should conduct a formal dual-use risk assessment referencing the disclosed CBRN rating before deployment, and should document that assessment as part of their AI governance records.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The CBRN capability disclosure is operationally significant for deployers in research, government, and critical infrastructure sectors, as residual CBRN-relevant capabilities may interact with export control, dual-use research, and national security frameworks that create obligations independent of OpenAI's internal mitigation measures.
The document discloses that GPT-5 has residual CBRN-relevant capabilities that are subject to trained mitigations, meaning that requests in this domain may be refused or constrained regardless of operator configuration.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.