OpenAI Trusted Access for Cyber — Putting AI's Most Powerful Defenses in the Right Hands

The Problem With Locking Down AI Cybersecurity

As AI models grow more capable at finding and exploiting security vulnerabilities, the instinct is to lock them down. But that logic has a fatal flaw: attackers don't wait for permission. If defenders can't access the same capabilities, the asymmetry only grows in favor of those doing harm.

OpenAI's answer is Trusted Access for Cyber (TAC) — a framework built on a simple premise: advanced cyber capabilities should reach defenders broadly, but access should scale with trust, validation, and safeguards. Not a blanket restriction. Not an open door. A verified pathway.

How Rapidly AI Cyber Capabilities Are Growing

The pace of advancement here is striking. GPT-5 scored 27% on capture-the-flag (CTF) security benchmarks in August 2025. By November 2025, GPT-5.1-Codex-Max reached 76% on the same benchmarks — in just three months. OpenAI is now planning and evaluating as though each new model could reach "High" levels of cybersecurity capability: models capable of developing working zero-day remote exploits against well-defended systems or conducting complex, stealthy enterprise intrusion operations.

That's not a distant future scenario. That's the planning horizon OpenAI is operating under right now.

The Tiered Access Model

TAC launched in February 2026 alongside a $10 million cybersecurity grant, initially running on GPT-5.3-Codex. Since then it has expanded through multiple tiers:

• Standard TAC: Automated identity verification for individual security professionals. Reduces refusals for legitimate cybersecurity tasks while maintaining safety guardrails.
• GPT-5.5 with TAC: The primary recommended model for most defensive workflows — handling the vast majority of legitimate security tasks for verified users.
• GPT-5.5-Cyber (limited preview): A more permissive variant for defenders responsible for securing critical infrastructure. Enables red teaming, vulnerability validation, malware analysis, binary reverse engineering, and penetration testing in authorized environments.
• Enterprise TAC: Organizations can apply through their OpenAI representative to grant trusted access to their entire security team by default.

Starting June 1, 2026, individual members accessing the most cyber-capable models will be required to enable Advanced Account Security. Organizations can alternatively attest to phishing-resistant authentication as part of their SSO workflow.

Who's Already In

The list of organizations already signed up reads like a who's who of global financial and security infrastructure:

• Bank of America, BlackRock, BNY, Citi, Goldman Sachs, JPMorgan Chase, Morgan Stanley, US Bank
• Cisco, Cloudflare, CrowdStrike, NVIDIA, Oracle, Palo Alto Networks, Zscaler
• iVerify, SpecterOps

OpenAI has also provided GPT-5.4-Cyber to the U.S. Center for AI Standards and Innovation (CAISI) and the UK AI Security Institute (UK AISI) for independent capability and safety evaluations. Technology partners including Cisco, Intel, SentinelOne, and Snyk are evaluating how AI models can accelerate defensive workflows at scale.

What GPT-5.5-Cyber Can Do

For verified defenders at the highest TAC tier, GPT-5.5-Cyber unlocks capabilities that go significantly beyond standard models:

• Writing proofs of concept for identified vulnerabilities
• Running attack simulations in authorized environments
• Binary reverse engineering — analyzing compiled software for malware and vulnerabilities without source code access
• Detection engineering and monitoring operations
• Software supply chain security and patch validation

Defenders are still blocked from credential theft, malware deployment for offensive use, and persistent unauthorized access — the guardrails are calibrated, not removed.

Codex Security: Fixing Vulnerabilities at Scale

Running alongside TAC is Codex Security — an agentic system that automatically monitors codebases, validates issues, and proposes fixes. Since its recent launch, Codex Security has contributed to over 3,000 critical and high-severity fixed vulnerabilities across the ecosystem, along with many more lower-severity findings. Free coverage is available for select non-commercial open-source repositories.

OpenAI vs. Anthropic: Two Different Philosophies

The contrast with Anthropic's approach is deliberate and worth noting. Anthropic's Project Glasswing — announced April 7, 2026 — takes a more restrictive path: only about 40 organizations are getting access to its forthcoming Mythos cybersecurity model, citing concerns that the model is too capable to release more widely.

OpenAI is making the opposite bet: scale identity verification, not capability restrictions. Get powerful tools to thousands of verified defenders rather than dozens of curated partners. Whether this more open approach maintains adequate safeguards at scale is the central question — and one the industry will be watching closely.

The Harder Question

Cybersecurity AI is advancing fast enough that any framework for managing it will need to evolve continuously. The gap between what these models can do and what defenders are authorized to use them for will always be under pressure — from both the improving capabilities of the models and the escalating sophistication of real-world attackers. OpenAI's TAC program is a serious attempt to navigate that tension. Whether it's the right answer won't be known until it's tested at scale against real threats.