OpenAI is now using AI to attack its own AI, and it’s working better than humans ever did

OpenAI trained an internal AI model called GPT-Red to automatically find security flaws in GPT models. GPT-Red simulates prompt injections and other attacks where malicious instructions hide in emails, websites, or files. Trained via self-play reinforcement learning, GPT-Red attacks while defender models block, and both improve over time. It finds successful attacks in 84 percent of test scenarios versus 13 percent for human red teamers. In one test, it manipulated an AI-powered vending machine in OpenAI’s office, changed prices, and canceled other customers’ orders.

The results feed directly into training. GPT-5.6 Sol shows six times fewer failures on direct prompt injections than the best model from four months ago, OpenAI says, without hurting general performance. But about 3.8 percent of “stronger” prompt injections still succeed. Scale that to hundreds or thousands of attempts, and a sizable number get through, similar to Claude Opus 4.5.

rompt injection success rates dropped steadily from GPT-5.3 through GPT-5.6 Sol, but haven't hit zero. | Image: OpenAI
Prompt injection success rates dropped steadily from GPT-5.3 through GPT-5.6 Sol but haven’t hit zero. | Image: OpenAI

GPT-Red stays internal; a paper with more details will follow.

AI News Without the Hype – Curated by Humans

Subscribe to THE DECODER for ad-free reading, a weekly AI newsletter, our exclusive “AI Radar” frontier report six times a year, full archive access, and access to our comment section.

Subscribe now

Similar Posts

Leave a Reply