Want a smart insight into your inbox? Sign up for our weekly newsletters to get the only thing that is important to enterprise AI, data, and security leaders. Subscribe now
If you have lost it, Openi started a powerful new feature for Chat GPT yesterday and with that, a host of new security risks and utility.
Called “Chat GPT Agent”, this new feature is an optional format that can be asked to pay users paying “tools” in the entry box immediately and choosing “Agent Form”, they can ask Chat GPT to log in to their email and other web accounts. Write and answer emails. Download, edit and create files. And hosted other tasks, like a real person using a computer with your login credentials, by their own, as autonomous, by them.
Obviously, the user also needs to rely on the chat GPT agent to not do any hassle or unpleasant work, or leak their data and sensitive information. It also offers more and more risks to the user and their employer compared to regular chat GPT, which cannot be logged into web accounts or directly edit files.
“We have activated our strongest safety measures for the Chat GPT agent,” Karen Goo, a member of the Safety Research Team in Openai, said. This is the first model we have categorized as a high capacity in biology and chemistry under our preparation framework.
AI Impact Series returning to San Francisco – August 5
The next step of the AI is here – are you ready? Block, GSK, and SAP leaders include for a special look on how autonomous agents are changing enterprise workflows-from real time decision-making to end to automation.
Now secure your place – space is limited:
So how did Openi handle all these security issues?
Red Team Mission
Openai’s Chat is watching GPT Agent System cardThe “Red Team” employed by the company to test this feature, in particular, faced a difficult mission: in particular, 16 security researchers of PhD were given 40 hours to test it.
Through organized testing, the Red team discovered seven universal actions that can compromise on the system, in which AI agents reveal significant risks in how to handle real -world dialogue.
Most of the things that after that were widely tested on the security of the security were predicted. The Red Teaming Network offered 110 attacks from immediate injections to biological information. Sixteen exceeded the risk limit. Each detection provided insights to open engineers, which they needed to write and deploy reforms before launching.
The results speak on its own Published in System Card. Chat GPT agent emerged with significant improvement in security, which includes 95 % performance against irrelevant instruction attacks against visual browsers and strong biological and chemical safety.
Red teams exposed seven universal feat
Openi’s Red -Taming Network consisted of 16 researchers, including biochemical PhDs, who presented 110 attacks during the examination period. Sixteen exceed the risk limit, which reveals the basic risks of how AI agents handle the real -world dialogue. But the original progress has been made with extraordinary access to the UK AISI’s chat GPT agent’s internal reasoning chains and policy text. Of course. These intelligence were never regular attackers.
More than four testing rounds, the UK’s AISI, forced the Open to implement seven universal achievements, which had the ability to compromise with any conversation.
Attack the vector who forced the hand of the Openi
| Type of attack | Success rate (pre -fix) | Target | Impression |
| Visual browser hidden instructions | 33 % | Web pages | Active Data Exhibition |
| Google Drive Connector exploits | Did not disclose | Cloudy documents | Forced document leaks |
| Multi -phase China attacks | Variable | Cross -site actions | Full session compromise |
| Extract biological information | 16 Permissions exceeded the limit | Dangerous | Potential weapons |
Far.Ai’s diagnosis was subjected to open criticism over an open view. Despite 40 hours of testing, only three partial risks revealed, indicating that the current protective procedures relies heavily on the monitoring during the reasoning and the use of the device, which researchers considered a potential point of failure to compromise.
Red Taming helped how to convert Chat GPT risks to a fortress
Openi’s response to the Red Team results revealed the entire section of Chat GPT agent architecture. One of the many steps, including the construction of a dual -layer inspection architecture that oversees 100 % production traffic in real time, and achieves these measurements.
Improvement of security after the discoveries of the Red Team
| Defense Matriculation | Previous model | Chat GPT Agent | Improvement |
| Irrelevant directions (visual browser) | 82 % | 95 % | +13 % |
| Data Exhibition in the context | 75 % | 78 % | +3 % |
| Active Data Exhibition | 58 % | 67 % | +9 % |
| The reliability of the system | Based on taking samples | 100 % coverage | Thorough supervision |
The architecture works like this:
- The first level: A sharp -ranked 96 % of memories with suspicious content
- Second tier: A reasoning model that 84 % is reminded of the flagged interaction for the original risks
But technical defense tells only one part of the story. Openi chose a difficult security choice that recognizes some AI actions requires important sanctions for secure independent implementation.
Based on the weaknesses discovered, Openi enforced the following response measures in his model:
- Watch mode activation: When Chat GPT agent accesses sensitive contexts such as banking or email accounts, if users get away, the system freezes all activity. This is a direct response to the data excretion efforts discovered during the test.
- Memory features disabledDespite the basic functionality, memory is completely disabled at the time of launch so that the Red Temmers demonstrated to avoid leaking attacks.
- Terminal restrictionsOnly the network access to obtain applications prevents the risks of command implementation that exploit the researchers.
- Rapid Ramedation Protocol: A new system that patching risks within the hours of discovery – after the Red Tammers developed, it appears how quickly the use can spread.
Only during the pre -launch test, the system identified and resolved 16 critical risks that the Red Tammers had discovered.
A biological risk wicup call
The Red Tammers revealed the ability that the Chat GPT agent can be reduced and could pose more biological risks. Sixteen experienced participants of the Red Teaming Network, each of whom do a biochemical PhD, tried to extract dangerous biological information. Their requests have revealed that the model can synthesize the literature published on editing and creating biological risks.
In response to the results of the Red Tammers, the Openi classified the Chat GPT agent as “high capacity” for biological and chemical risks, not because they got certain evidence of weapons’ ability, but also as a precautionary measure of the Red Team results. This dynamic happened:
- Always protecting the safety by scanning 100 % traffic
- 9696 % of the l
- A reasoning monitor that misses 84 84 % of weapons content
- A bio -bug grace program for the dangers of danger
Red Teams What taught Openi about AI Security
The 110 attacks revealed samples that forced fundamental changes in the open security philosophy. These include the following:
Perseverance on strength: The invaders do not need sophisticated achievements, they only need more time. Red Tammers showed how patients could eventually compromise with the system.
The limits of trust are fiction: When your AI agent can access the Google Drive, browse the web, and process the code, traditional security parameters dissolve. The Red Tammers exploited the sects among these capabilities.
Monitoring is not optional: From the discovery that sampling surveillance was deprived of critical attacks.
Affairs of speed: The traditional patch cycle that is measured in weeks is useless against instant injection attacks that can spread immediately. The protocol of rapid remedies patch risks within hours.
Openi Enterprise is providing a new security baseline for AI
To review the deployment of AI, the Red Team discoveries set clear requirements:
- Quantable protection: 95 % of the GPT agent’s defensive rate benchmarks decide against the documentary attack. Many tests and results described in the system card explains the context of how they have performed it and it is important for everyone involved in the model security.
- Complete adventure: 100 Traffic Monitoring is no longer excited. Open experiences make it clear why red teams must hide attacks anywhere.
- Speedy response: Hours, not weeks, to patch discovered risks.
- Enforced limits: Some operations (such as access to memory during sensitive tasks) must be inactive until it is proven.
The UK AISI test proved to be a special education. His seven universal attacks were identified, which were already complicated before the launch, but their privileged access to the internal systems revealed the risks that would eventually be discovered by the opposition.
“This is an important moment for our preparation work.”
Red teams are the core to create more secure, more secure AI model
The seven universal achievements discovered by researchers and 110 attacks from the Open Red Team Network made it a notable that makes the Chat GPT agent fake.
Describing how AI’s agents can surrender, the red teams first forced the formation of the AI system where security is not just a feature. This is the basis.
Chat GPT Agent’s results prove the effect of Red Taming: Stopping 95 % of visual browser attacks, catching 78 % of data exhibition efforts, monitoring each interaction.
In the high -speed AI arms race, companies that will survive and achieve development will be the ones who see their red teams as the main architect of the platform that attracts it to the limits of safety and security.
