Multi-Layered Safeguards for Biological and Chemical Risks in GPT-5

Based on detailed threat modeling, GPT-5 distinguishes between different pathways through which the model could be misused. The model’s taxonomy focuses on two main threat pathways: one that involves uplifting a novice user to create or deploy known biological threats, and another wherein an expert might be empowered to modify or deploy such threats. To support this, a content classification system has been developed. This system categorizes information under three key areas: 'Biological Weaponization', which pertains to assistance with malign bioweapons processes; 'High-Risk Dual Use Biology', which includes any detailed guidance that could enable self-replicating agents or significant modifications; and 'Low-Risk Dual Use Biology', which covers general scientific explanations that are benign and not directly empowering for dangerous experiments. The taxonomy not only informs how the model is trained but also guides subsequent layers of defense^[1].

The safeguard design employs an end-to-end, layered defense system that starts from the training phase and extends into system-wide protections. The first layer involves model training. GPT-5’s safety training specifically requires the model to refuse all requests for weaponization assistance and to never provide detailed, actionable guidance on dual-use topics. This training is reinforced through safe completions, ensuring that the model always defaults to high-level, non-detailed responses where necessary.

Beyond training, system-level protections constitute the next layer. These include a two-tiered, real-time oversight mechanism. The first component is a fast, topical classifier that verifies if a conversation is related to biological content. If the content is flagged, it is then passed to a second-tier reasoning monitor. This monitor analyses the output to determine if it falls into any category described in the established biological threat taxonomy. With thresholds set to maximize recall, the system is designed to catch even borderline cases, ensuring that the final response adheres strictly to safety policies^[1].

In addition to the in-model safeguards and automated oversight, GPT-5 implements robust account-level interventions. All user interactions are continuously scanned to detect potential violations of usage policies. This is coupled with manual review by experts in biothreat safety, and recidivism prevention measures are in place to address any repeat offenders. For users accessing the model through the API, special controls have been introduced. A new API field called ‘safety_identifier’ helps both developers and OpenAI to differentiate end-user identities and to monitor for any harmful attempts. Developers are required to implement this field; failure to do so may result in restricted access. This framework is designed so that if repeated issues are detected, the model output is either blocked or flagged, and enforcement actions—including potential bans and even notifications to law enforcement in extreme cases—can be taken^[1].

Recognizing that certain beneficial applications in life sciences may need more detailed responses, OpenAI has instituted a Trusted Access Program. This program is aimed at vetted and trusted customers who operate within robust biosafety and security frameworks. Under this controlled program, select users may access a less restricted version of GPT-5. However, even in these cases, the model continues to block any generation that contains weaponization or actionable harmful guidance. The trusted access mechanism thereby strikes a balance between enabling research and ensuring safety^[1].

To validate the effectiveness of these multi-layered safeguards, extensive testing and red teaming procedures have been carried out. This testing includes evaluations of both model safety training and the system-level protections. The model was tested using challenging red team prompts, including those provided by biosafety experts, on scenarios designed to elicit potentially harmful responses. Moreover, separate campaigns using external groups—ranging from experienced red teamers with bioscience expertise to third-party groups and government agencies—have systematically assessed the model’s responses under adversarial conditions. These evaluations demonstrated that GPT-5’s defenses not only correctly prevent the disclosure of sensitive biological information but also quickly detect and mitigate any emerging vulnerabilities. The results from these campaigns confirm that the layered safeguards perform as intended across all usage scenarios^[1].

Beyond the direct safeguards built into the model and its oversight systems, GPT-5 is protected by broader security controls. These include strict access restrictions to prevent unauthorized extraction of model parameters, clear egress controls, and continuous monitoring for any indications of malicious behavior. The infrastructure supporting GPT-5 is hardened against attacks, ensuring that any potential exfiltration of sensitive data or bypass of safety measures is swiftly detected and remediated. Together, these additional controls form an important part of the defense-in-depth strategy and help secure both the model and the underlying data from abuse^[1].

In summary, the multi-layered safeguards in GPT-5 for biological and chemical risks are carefully constructed from the ground up. They encompass rigorous model training focused on safe completions, an automated real-time oversight system with a two-tiered classifier and reasoning monitor, strict account-level enforcement, comprehensive API safety protocols, and a Trusted Access Program for sensitive research applications. Extensive testing and external red teaming further ensure that these layers work harmoniously to minimize the risk of malicious use. This comprehensive approach, verified by numerous evaluations, underscores OpenAI’s commitment to safety in advanced AI systems^[1].