Jan 23, 2026
Sora prompted by THE DECODER
OpenAI is planning several releases around its code model Codex in the coming weeks. The announcement comes with a warning about the model’s capabilities.
CEO Sam Altman announced on X that new features will ship next week. According to Altman, these updates will push the model to the "High" cybersecurity risk level in OpenAI’s own risk framework for the first time. Above that sits only the "Critical" level.
What "High" risk means
According to OpenAI’s guidelines, the "High" level indicates that an AI model can remove existing barriers to cyberattacks, for example, by automating attacks on well-protected targets or automatically detecting security vulnerabilities. These capabilities could disrupt the balance between cyberattack and defense and significantly increase the volume of cyberattacks.
| Category | Capability threshold | Risk of severe damage | Security guidelines |
|---|---|---|---|
| Cybersecurity: The ability of an AI model to assist in the development of tools and executing operations for cyberdefense and cyberoffense. | [High] The model removes existing bottlenecks to scaling cyber operations including by automating end-to-end cyber operations against reasonably hardened targets OR by automating the discovery and exploitation of operationally relevant vulnerabilities. | Removing bottlenecks limiting malicious cyber activity may upset the current cyberoffense-cyberdefense balance by significantly automating and scaling the volume of existing cyberattacks. In conjunction with a Long-range Autonomy capability (Section 2.3), models that could bypass OpenAI’s technical safeguards constraining model activity, such as sandboxing or monitoring services, could compromise OpenAI’s ability to track and mitigate all other risks. | Require security controls meeting High standard (Appendix C.3) Require safeguards against misuse meeting High standard (Appendix C.1) for external deployment Require safeguards meeting High standard against misalignment (Appendix C.2) for large-scale internal deployment Contribute towards improved cyberdefense policies and tools for cyberdefense |