The card discloses that GPT-5 received a 'medium' risk classification under OpenAI's internal Preparedness Framework across four categories: CBRN, cybersecurity, persuasion, and model autonomy, and that this rating governs the conditions under which deployment was authorized.
This analysis describes what OpenAI's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the safety classification baseline that governs GPT-5's deployment conditions, and the 'medium' rating across CBRN and cyberoffense categories may trigger due diligence obligations for enterprise deployers in regulated sectors or those subject to dual-use research oversight frameworks.
Interpretive note: The document's HTML was truncated and the exact verbatim Preparedness Framework rating language could not be extracted; this provision reflects disclosed content as described in the document metadata and available text.
The document establishes that GPT-5 operates under mitigations corresponding to a 'medium' Preparedness Framework rating, meaning certain high-risk output categories are subject to trained refusal behaviors and monitoring controls that apply to all users regardless of access tier.
Cross-platform context
See how other platforms handle Preparedness Framework Risk Rating: Medium and similar clauses.
Compare across platforms →Monitoring
OpenAI has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"GPT-5 has been evaluated against OpenAI's Preparedness Framework and has received a 'medium' rating across tracked risk categories including CBRN, cybersecurity, persuasion, and model autonomy. Deployment has proceeded under a set of defined mitigations corresponding to this rating level.— Excerpt from OpenAI's OpenAI GPT-5 System Card
1) REGULATORY LANDSCAPE: The 'medium' CBRN and cyberoffense ratings disclosed in this card may interact with U.S. dual-use research of concern policies, Export Administration Regulations administered by the Department of Commerce, and the EU AI Act's systemic risk provisions applicable to general-purpose AI models above defined capability thresholds. The FTC retains authority to evaluate whether safety rating representations constitute unfair or deceptive practices if the disclosed mitigations are found insufficient in practice. 2) GOVERNANCE EXPOSURE: High. The disclosed 'medium' rating across CBRN and cybersecurity categories indicates residual capability risk that has not been fully mitigated, and downstream operators integrating GPT-5 into products may inherit disclosure and risk management obligations depending on their sector and jurisdiction. The card does not specify whether the 'medium' rating reflects pre-mitigation or post-mitigation capability levels, which creates interpretive uncertainty for compliance teams. 3) JURISDICTION FLAGS: EU deployers face heightened exposure under the EU AI Act's GPAI systemic risk provisions. U.S. deployers in defense-adjacent, healthcare, or critical infrastructure sectors should assess whether the CBRN capability disclosures trigger internal review obligations. Illinois, California, and New York have enacted or are developing AI transparency requirements that may require additional disclosure. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams integrating GPT-5 should assess whether vendor agreements with OpenAI adequately address liability allocation in the event that residual CBRN or cyberoffense capabilities are elicited through their deployment configurations. The card does not assert OpenAI liability for downstream misuse enabled by operator misconfiguration. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should document the Preparedness Framework rating as part of their AI risk inventory and assess whether their use case interacts with any of the four rated risk categories. Organizations in regulated sectors should evaluate whether additional contractual protections or operational controls are required beyond those disclosed in the system card.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 3 platforms + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the safety classification baseline that governs GPT-5's deployment conditions, and the 'medium' rating across CBRN and cyberoffense categories may trigger due diligence obligations for enterprise deployers in regulated sectors or those subject to dual-use research oversight frameworks.
The document establishes that GPT-5 operates under mitigations corresponding to a 'medium' Preparedness Framework rating, meaning certain high-risk output categories are subject to trained refusal behaviors and monitoring controls that apply to all users regardless of access tier.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by OpenAI.