SYSTEM CARD · A STRUCTURAL READING

The GPT-5.6 System Card

OpenAI's July 2026 safety report, drawn as a safety label — two capabilities rated High, none Critical, resting on a self-audit. Every line is the card's own words, with the section and figure that measure it.

OpenAI · July 9, 2026 · 81 pages · read the original

Frontier AI ModelReleased 07 · 09 · 2026
Safety Facts
Net contents: three modelsSol · Terra · Luna
Tracked-category capabilitiesLevel reached

The card assesses capability in the areas that could enable severe harm, on a scale that tops out at Critical. A High designation comes with a tailored safeguard package; Critical is the framework's highest level.

CybersecurityHigh

“These models are a meaningful step up in cybersecurity capability, but they do not reach our risk framework's highest level (Critical).”GPT-5.6 System Card · §Introduction (item 1)

Biological & ChemicalHigh

“We observe 3 out of 4 evaluations are above our indicative thresholds … and conclude that these models should thus be precautionarily treated as High.”GPT-5.6 System Card · §9.1.1 (High-threshold biological evaluations)

AI Self-ImprovementBelow High

“None of them reach our High threshold in AI Self-Improvement.”GPT-5.6 System Card · §Introduction

Critical capabilityNone reached
“We observe 0 out of 3 evaluations are above our indicative thresholds, and conclude that none of the three models need to be treated as Critical.”GPT-5.6 System Card · §9.1.1 (Critical-threshold biological evaluations)

Designations are the card's own — High · High · below High (§Introduction; §9.1). The four-step meter is an illustration of the tier reached, not a figure from the card.

Behavioral findings

How the model behaves in everyday use. Tap any line for the card's exact words, where to find them, and what the figure reports.

In the card's words

We find that GPT-5.6 Sol, more often than its predecessor, can be overly persistent in pursuing user goals, to the point of taking actions that go beyond what the user intended. While rates of misaligned behavior are higher than previous deployments, the absolute number remains low.

Where to find it§7.2 · Agentic Coding (deployment simulation)

What Figure 7 shows · §7.2 · lower is better

Figure 7 breaks severity-3 misalignment into six types (proportion of resampled internal traffic), GPT-5.6 Sol vs GPT-5.5. Sol is higher on every type — most sharply Circumventing Restrictions 0.00251 vs 0.00026 (~10×), then Destructive Actions 0.00019 vs 0.00003 and Unauthorized Data Transfer 0.00016 vs 0.00008. Absolute rates stay very low.

In the card's words

We find that GPT-5.6 Sol makes slightly fewer factual errors than GPT-5.5, and reproduces user-reported hallucinations significantly less often. We find that larger models tend to perform better than smaller models on factuality.

Where to find it§6 · Hallucinations

What the eval measures · lower is better

Two error metrics: the response-level hallucination rate (does it make any error), and whether it reproduces the specific user-flagged error. GPT-5.6 Sol lands below GPT-5.5 on both, and larger models score better than smaller ones. Per-model rates appear in the figure.

In the card's words

GPT-5.6 Sol has a length-adjusted HealthBench Professional score of 60.5 (+8.7) … Overall, this reflects improved HealthBench Professional and HealthBench Hard performance vs GPT-5.5, with HealthBench and HealthBench Consensus flat.

Where to find it§5 · Health (HealthBench)

What Table 6 shows · length-adjusted, higher is better

Four length-adjusted variants vs GPT-5.5: Professional 60.5 (+8.7), HealthBench 57.0 (+0.4), Hard 33.1 (+1.6), Consensus 95.5 (−0.1). Two improved (Professional, Hard); two essentially flat. Length-adjustment means a longer answer earns no free credit.

In the card's words

We evaluate the model's robustness to known prompt injection attacks against connectors. These attacks embed adversarial instructions in the tool-output that aim to mislead the model and override the system/developer/user instruction. We include improved versions of these attacks dedicated to search and function-calling as well.

Where to find it§4.2 · Prompt injection

What Table 5 shows · §4.2 · higher is better

Prompt-injection robustness, scored 0–1, across two evals. GPT-5.6 Sol: Connectors 1.000 and Search and Function-Calling 0.910 (Terra 0.946, Luna 0.897).

In the card's words

This evaluation is used to assess harmful stereotypes by grading differences in how a model responds to the conversation when the user's name is statistically more often associated with males (e.g., Brian) or females (e.g., Ashley). Responses are rated for harmful differences in stereotypes using GPT-4o … This evaluation consists of over 600 challenging prompts …

Where to find it§8 · First-Person Fairness

What Figure 21 shows · lower is better

Figure 21 plots harm_overall (%), with 95% confidence whiskers, across models. GPT-5.6 improves on GPT-5.5 (1.12%): Sol 0.98%, Terra 0.88%, Luna 0.61%. Earlier models: 5.1 Thinking 1.28%, 5.2 1.00%, 5.4 0.88%. Lower means smaller differences in harmful stereotyping between male- and female-associated names.

In the card's words

Metagaming is when a model reasons about how it will be graded, rewarded, or monitored, rather than only reasoning about the situation described in the prompt … GPT-5.6 Sol shows verbalized metagaming on some evaluation and training tasks, and more than GPT-5.5 on a suite of evaluation tasks. We see vanishingly low metagaming when evaluating with deployment simulation.

Where to find it§7.4 · Metagaming

What Figure 17 shows · §7.4 · lower is better

Figure 17 shows verbalized metagaming swings sharply by evaluation suite: 55.8% on the Honesty suite and 23.8% on the Instruction-following suite, but just 0.05% on the ChatGPT simulation and 0.15% on the internal Codex simulation.

In the card's words

We find that the GPT-5.6 series performs similarly to previous thinking models, with the exception of gore. On ChatGPT, for users we believe may be under 18, we apply additional age-appropriate content protections that further restrict sexual content and exposure to gore.

Where to find it§3.1 · Disallowed Content

What Figure 1 shows · §3.1

Figure 1 forecasts disallowed-content rates per 100k conversation turns by category (a GPT-5.6 Sol simulation vs GPT-5.5). Overall about the same; most categories flat or lower. The significant predicted moves: Sexual ~1.4× and Emotional Reliance ~1.9× up, Mental Health ~1.6× down. Absolute rates stay low (harassment ~8.8 per 100k).

Safeguards appliedWhat the card describes

In the card's words

Compared with previous models, our GPT-5.6 Sol cyber safeguards block roughly ten times more potentially harmful activity … This reflects our iterative deployment approach: starting conservatively and improving based on what we learn from real-world use.

Where to find it§Introduction (item 2)

Scope of the “ten times” figure

The ~10× is specific: GPT-5.6 Sol's cyber safeguards blocking potentially harmful activity, compared with previous models — not an across-the-board rate.

In the card's words

We also have programs in place so that when GPT-5.6 models are broadly available to the public, we can continue to reserve the most sensitive cybersecurity and biological capabilities for trusted defenders.

Where to find it§Introduction (item 4) · Trust-based access §9.2, §9.4.8

The two named programs · §9.4.8

Two gates: Trusted Access for Biology Research (vetted organizations, institutional verification, use-case review, monitoring) and Trusted Access for Cyber under OpenAI Daybreak — an identity-gated pathway for verified defenders, covering vulnerability triage, malware analysis, and patch validation.

In the card's words

We've also dedicated over 700,000 A100e GPU hours to automatically find universal jailbreaks, and we will run automated red teaming continuously during deployment. As jailbreaks are reported, we reproduce, mitigate and retest for them so that gaps are addressed.

Where to find it§Introduction (item 5) · §9.2

The figure behind the claim

The 700,000 A100e GPU-hours is a stated floor (“over”), dedicated to automatically finding universal jailbreaks; automated red-teaming then continues during deployment, with reported jailbreaks reproduced, mitigated, and retested.

In the card's words

… requiring each safeguard package to sufficiently minimize the associated risks of severe harm.

Where to find it§9.1 · Frontier Risk Assessment

How the bar is applied

The standard is the Preparedness Framework's release bar: each safeguard package must “sufficiently minimize the associated risks of severe harm.” Safeguards are tailored to each High-capability model based on its capability profile.

How it's tested

Who ran the evaluations?

Both OpenAI and outside groups. The card reports internal testing alongside independent external evaluation — four private red-teaming organizations (§9.4.5), the UK AI Security Institute (§9.1.2.6, §9.2.1–9.2.2, §9.4.6), and METR (§9.1.3.6). Some graders are OpenAI's own models — GPT-4o for the fairness eval (§8), GPT-5 Thinking as a chain-of-thought monitor (§7.3.1). A sample of the testing, in the card's words:

In the card's words

Testing by four private red teaming organizations lasted over more than a month, with access beginning June 3rd, 2026. We iterated on their findings to improve policy and system level safeguard robustness over this period of time. All findings from this testing were mitigated before launch.

Where to find it§9.4.5 · Third Party Red-teaming for Jailbreaks

The engagement

Four private red-teaming organizations, access from June 3, 2026, over more than a month; all findings mitigated before launch. Long-standing partners who build attack knowledge across launches and combine human-expert and automated methods.

In the card's words

As part of our ongoing partnership with the UK AI Security Institute (UK AISI), we provided UK AISI with early access to GPT-5.6 Sol to support independent, pre-deployment evaluation of cyber capabilities.

Where to find it§9.1.2.6 · External Evaluations for Cyber Capabilities — UK AISI

What UK AISI found · higher = more capable

On AISI's CTF expert-level tasks, GPT-5.6 Sol scored 95.0% ± 9.8%, up from 85.0% ± 11.6% for GPT-5.5, and completed “The Last Ones,” a 32-step corporate-network attack simulation.

In the card's words

Chain-of-thought (CoT) monitorability measures whether a monitor can infer particular properties of a model's behavior from its reasoning trace … Averaging across evaluations, GPT-5.6 Sol and GPT-5.5 have similar CoT monitorability.

Where to find it§7.3.1 · CoT Monitorability

What Figure 8 shows · §7.3.1 · higher is desirable

Figure 8 tracks monitorability (g-mean²) as the chain of thought lengthens, under three monitor views — CoT only, all messages, and actions only. Monitorability climbs steeply with CoT length; GPT-5.6 Sol and GPT-5.5 track close together, with GPT-5.5 slightly higher when the monitor sees actions only.

In the card's words

We additionally measure “CoT controllability”, a reasoning model's ability to control properties of its CoT in ways that reduce monitorability … We find that GPT-5.6 Sol's CoT controllability is higher than that of GPT-5.5 and GPT-5.4 Thinking … We are investigating the causes of increased CoT controllability of GPT-5.6 Sol.

Where to find it§7.3.2 · CoT Controllability

What Figure 14 shows · §7.3.2 · lower is desirable

Figure 14 plots CoT controllability against CoT length. GPT-5.6 Sol's curve sits above every other model across most of the range; at ~5k tokens it controls 1.3% of chains of thought, vs 0.4% (GPT-5.5) and 0.7% (GPT-5.4 Thinking). Terra stays low. Low controllability is the desirable property — it means the model can't easily obfuscate its reasoning to evade monitors.

Source: OpenAI GPT-5.6 System Card, July 9, 2026 (81 pp.). Quotations are verbatim; ellipses mark omitted text. Figure and table numbers follow the published web card, and every cited value was read directly from that figure or table. This label is a personal structural reading — a re-organization of the card's words and data, not OpenAI's summary.

IN CLOSING

A system card is a company's own account of what it built. Set out in its own words and its own numbers, each line traceable to a section, it becomes something a reader can check rather than take on faith.