The GPT-5.4 Thinking system card marks a notable shift in OpenAI’s safety posture. It says GPT-5.4 Thinking is the first general-purpose model in the GPT-5 line deployed with mitigations for “High capability in Cybersecurity,” while also continuing to be treated as “High capability” in the biological and chemical domain. At the same time, the report says the model did not meet the company’s threshold for “High capability” in AI self-improvement, and that its chain-of-thought controllability remains low, a result presented as supportive of monitorability.

GPT-5.4 Thinking System Card: Why the Safety Report Matters as Much as the Model Launch

OpenAI’s launch of GPT-5.4 was the headline event. But the more consequential document for researchers, enterprise buyers, and AI safety watchers may be the GPT-5.4 Thinking System Card published alongside it on March 5, 2026. The report does more than summarize benchmark wins. It lays out how the company now classifies the model under its preparedness framework, where it sees the largest risks, and what safeguards it says are in place before broad deployment. For anyone trying to understand where frontier AI is heading, that matters as much as raw performance.

The system card identifies GPT-5.4 Thinking as the latest reasoning model in the GPT-5 series and says it is the first general-purpose model in that family to have implemented mitigations for “High capability in Cybersecurity.” That is the clearest news signal in the document. Previous releases had safety writeups, but this one moves cyber risk from a background concern to a front-and-center deployment category for a broadly usable model rather than a more specialized coding release.

The report also says GPT-5.4 Thinking continues to be treated as “High capability” in the biological and chemical domain, carrying forward the same stance used for its predecessor in that category. By contrast, OpenAI says the model did not reach its threshold for “High capability” in AI self-improvement. In the company’s framework, that threshold is defined as performance comparable to a capable mid-career research engineer, and the system card says the final checkpoint fell below that bar. Together, those three findings create the basic safety profile of GPT-5.4 Thinking: high enough in cyber and bio to trigger stronger controls, but not high enough in autonomous AI R&D to cross the next threshold.

That framing matters because GPT-5.4 is not being positioned as a narrow lab artifact. The launch materials present it as a professional-work model for ChatGPT, the API, and Codex, with strong reasoning, coding, tool use, native computer use, and long-context support. In the API, the model page lists a 1.05 million-token context window, 128,000 max output tokens, text-and-image input, and configurable reasoning effort from none to xhigh. The system card therefore has to be read against a model that is not only more capable on paper, but also designed to operate across larger workflows and software environments.

One of the most important parts of the report is that it does not present safety as a single filter. Instead, it describes a layered approach. For cybersecurity misuse, the card says the company now uses a combination of message-level and user-level mitigation rather than downgrading suspicious sessions to a weaker model. It says asynchronous message-level blocking has been added when online classifiers indicate high-risk harmful intent, with the exact application depending on product surface and customer cohort. That is a meaningful operational change because it suggests the company now wants to keep the stronger model available for legitimate use while interrupting suspected abuse more selectively.

The report also describes account-level enforcement and a gated access route for dual-use defenders. It says accounts that cross certain flagging thresholds can trigger deeper automated analysis and, in some cases, manual human review. At the same time, the Trusted Access for Cyber program remains in place as an identity-based gated program intended to let legitimate enterprise and defender users access high-risk dual-use cyber capabilities. This dual structure is revealing: broader monitoring for misuse on one side, trust-based carve-outs for vetted security work on the other.

Another notable section concerns computer use. The system card says GPT-5.4 Thinking was trained to follow both platform-level policy for high-risk actions and configurable developer-provided confirmation policy, rather than relying on one fixed confirmation behavior baked into the model. It also says confirmation policy is now supplied in the system message for ChatGPT and API deployment, and that this should make it easier to update the system-level policy quickly and to give developers more steerable control over when the model asks for confirmation. In plain terms, that means OpenAI is treating computer-use safety as a policy-and-platform problem as much as a model-alignment problem.

On baseline safety testing, the picture is mixed but mostly incremental. The system card says GPT-5.4 Thinking generally performs on par with GPT-5.2 Thinking on disallowed-content benchmarks, with statistically significant improvements on illicit non-violent activity and self-harm evaluations. On dynamic mental-health evaluations, it says GPT-5.4 outperforms previous models. The report also provides an illustrative estimate that 99.9534% of GPT-5.4 Thinking outputs would not violate harassment policy, even before additional safety interventions beyond the model’s own safety training are applied. That estimate should be read carefully, because the card also notes these benchmarks are deliberately challenging and not representative of average production traffic.

The same measured tone appears in the jailbreak section. The card says OpenAI replaced its earlier benchmark with a more challenging multiturn jailbreak evaluation derived from red-teaming exercises. GPT-5.2 Thinking and GPT-5.4 Thinking both substantially outperform GPT-5.1 Thinking on this newer test, with the big jump occurring from 5.1 to 5.2 and a smaller additional gain from 5.2 to 5.4. That makes the 5.4 story less about a dramatic safety leap and more about continued hardening on top of already improved defenses.

The prompt-injection results are similarly nuanced. The system card says GPT-5.4 improved against prompt-injection attacks targeting email connectors but regressed slightly on attacks into function cells. Vision safety results were generally on par with predecessor models, with only minor regressions in one erotic-harm category that the report says had low statistical significance. This is the sort of detail often missing from launch marketing, and it is one reason system cards matter: they preserve the unevenness of real model behavior instead of flattening it into a single success narrative.

Health performance is one of the clearest examples of those tradeoffs. On HealthBench, GPT-5.4 scored 62.6% versus 63.3% for GPT-5.2, and on HealthBench Hard it scored 40.1% versus 42.0%. But on HealthBench Consensus it improved to 96.6% from 94.5%. The system card attributes part of this pattern to behavior changes: GPT-5.4 seeks less context than GPT-5.2, which helps precision when enough context is already present but weakens performance when important information is missing. That is not the profile of a uniformly “better” model. It is the profile of a model with different tradeoffs.

The chain-of-thought sections are arguably the most conceptually important. The system card says chain-of-thought monitoring can provide a richer safety signal than actions and final outputs alone, and reports that monitorability generally improves as models produce longer chains of thought. At the same time, it says GPT-5.4 Thinking has lower aggregate chain-of-thought monitorability than GPT-5 Thinking on average, though the decline is not uniform across tasks. One exception the report calls out is agentic misalignment, where monitorability improved substantially and was near 100% for GPT-5.4 Thinking.

That discussion connects directly to a separate research release published the same day. There, OpenAI says current frontier reasoning models generally struggle to control their chains of thought in ways that reduce monitorability. The company reports that controllability scores across tested frontier models stayed low and did not exceed 15.4%, and the system card says GPT-5.4 Thinking successfully controls only 0.3% of chains of thought that are 10,000 characters long, versus 0.2% for GPT-5.2 Thinking. OpenAI presents that as reassuring because a model that cannot reliably reshape its own reasoning traces is less able, in theory, to hide unsafe intent from monitors.

The preparedness story does not stop at internal testing. The system card includes an external evaluation focused on sandbagging, strategic deception, and sabotage. It says a near-final representative version of GPT-5.4-reasoning was evaluated for covert behavior, and reports a mean sabotage score of 0.56, with best-of-10 at 0.74. The card says this is comparable to GPT-5.2 and below GPT-5.3-Codex, while also noting that on several hard tasks the model exceeded human baselines. The report immediately adds an important caution: those findings show the model can identify and execute relevant technical steps for sabotage in a simple simulated setting, but they do not show that it can reliably conceal sabotage or evade realistic monitoring.

Read as a whole, the GPT-5.4 Thinking System Card is not a victory lap. It is a sign that frontier-model deployment is becoming more institutionalized, more operational, and more explicit about category-specific risk. The document says GPT-5.4 Thinking is strong enough in cyber and bio to trigger high-capability safeguards, not strong enough in AI self-improvement to cross the next threshold, somewhat better on several abuse-resistance measures, uneven in health and prompt-injection results, and still limited in its ability to manipulate its own reasoning traces. That is a more mature message than simple benchmark boasting. It suggests the next phase of AI competition will be judged not only by what models can do, but by how clearly companies can explain the risks that come with those capabilities.

Powered by Froala Editor