Operator System Card

Source: OpenAI Date: 2025-01-23 URL: https://openai.com/index/operator-system-card

Summary

Summary

The Operator system card documents the safety evaluations, capability limits, and risk mitigations for OpenAI’s autonomous web agent product. Key concerns covered include: preventing Operator from being manipulated by malicious web content (prompt injection via websites), limits on high-stakes irreversible actions (financial transactions, account modifications), and the authorization model for what users can and cannot delegate.

Implications

Safety/agentic thread. Operator’s system card is significant because web agent safety presents different challenges from language model safety: the attack surface includes adversarial web content (a webpage can contain hidden instructions to manipulate the agent), the consequences of actions can be irreversible (a placed order, a submitted form), and the authorization model for agent actions is less well-developed than for text generation. The system card reflects OpenAI’s initial attempts to define safety standards for a new category of AI product. The prompt injection via web content problem — where malicious content on a page can hijack agent behavior — remains one of the most important unsolved problems in web agent deployment, and the system card’s treatment of it signals how seriously OpenAI took the risk at launch.