ChatGPT agent System Card

Source: OpenAI Date: 2025-07-17 URL: https://openai.com/index/chatgpt-agent-system-card

Summary

System card for ChatGPT Agent, published July 2025 alongside the ChatGPT Agent launch announcement. ChatGPT Agent (distinct from Codex, distinct from Operator) is the consumer-facing agentic mode in ChatGPT that can take multi-step actions — browsing the web, writing and executing code, managing files, filling forms, interacting with external services — within a single conversation. The system card documents the safety evaluations performed, the misuse risk categories assessed, and the mitigations deployed before launch.

Implications

The consumer agentic threshold. ChatGPT Agent represents OpenAI shipping autonomous action-taking to its entire consumer user base — not a developer preview, not an enterprise pilot, but a feature available to ChatGPT Plus and Team subscribers. The system card is the accountability document for that decision. The risks documented (prompt injection from web content, unintended action execution, exfiltration of credentials) are real and the mitigations (user confirmation gates, scope limits, sandboxing) are imperfect.

System card maturity. The ChatGPT Agent system card is more detailed than early OpenAI system cards — it reflects the organizational learning from the o1, o3, and Codex system cards and addenda. Whether the evaluation coverage is sufficient for a consumer product with this action surface is contested.

Thread: agentic product safety documentation. The anchor document for understanding how OpenAI approached safety for its first mass-market agentic product. Read alongside the Codex addendum (May 2025), the Responses API computer environment post (March 2026), and the workspace agents announcement (April 2026).

Watch: Incident reports or academic research identifying real-world exploitation of the vulnerabilities documented but not fully mitigated in the system card.