Key Takeaways
- The UK AI Security Institute (AISI) discovered universal jailbreaks in OpenAI’s GPT‑5.6 Sol that can bypass safety guardrails and enable autonomous cyber‑attack capabilities.
- These jailbreaks allow the model to discover software vulnerabilities and generate exploit code without further human input.
- Although OpenAI claims to have mitigated the specific issues, AISI expects further red‑team testing to reveal similar weaknesses.
- The findings echo an earlier jailbreak in Anthropic’s Fable 5 model that triggered U.S. export controls, yet the U.S. government has not imposed comparable controls on GPT‑5.6.
- Experts argue that patching individual jailbreaks only closes specific attack instances; the broader class of model‑level vulnerabilities remains.
- OpenAI maintains a layered safety approach—continuous monitoring, automated black‑box red‑team testing, and external audits—while acknowledging that perfect security is unattainable.
- The case highlights ongoing uncertainty in U.S. AI policy regarding inconsistent treatment of different labs’ models and the need for transparent, adaptive safeguards.
Overview of the UK AI Security Institute’s Findings
The UK AI Security Institute (AISI) released a technical system card alongside OpenAI’s public launch of GPT‑5.6 Sol, detailing the results of its pre‑release safety evaluation. According to the document, AISI researchers uncovered a set of “universal jailbreaks” in the model’s cyber‑domain safeguards. These jailbreaks are prompts or sequences that can coax the model into ignoring its built‑in restrictions designed to prevent harmful activities. Once the guardrails are bypassed, GPT‑5.6 can be directed to perform tasks that were explicitly prohibited, such as scanning code for weaknesses, generating exploit code, and orchestrating autonomous hacking campaigns. The institute emphasized that the jailbreaks were not obscure edge cases but rather broadly applicable techniques that could be adapted to a variety of cyber‑offensive scenarios. The findings were included in the system card that OpenAI published to provide transparency about the model’s limitations and the steps taken to address them.
Nature of the Jailbreaks and Their Implications
AISI reported that the discovered jailbreaks enabled long‑form, agentic task completion in areas such as vulnerability discovery and exploit development. In practice, a user could feed the model a series of innocuous‑looking prompts that, when combined, cause it to search public repositories, identify unpatched software flaws, and then produce working exploit scripts without further human intervention. The institute noted that these jailbreaks were relatively easy to devise—often constructed within a few hours of focused effort—although the researchers benefited from privileged access to internal model diagnostics, including chain‑of‑thought traces of the safety monitor, exact policy wording, and real‑time classifier feedback. This insider view likely accelerated the discovery process, but AISI’s red‑team lead, Xander Davies, suggested that comparable jailbreaks could still be found by external attackers, albeit with more trial and error. OpenAI said it had reproduced the specific jailbreaks and applied mitigations, yet the institute warned that further red‑team testing would likely surface similar weaknesses.
Parallels with the Anthropic Fable 5 Incident
The situation mirrors an earlier episode involving Anthropic’s Fable 5 model. In June 2024, Amazon researchers identified a jailbreak in Fable 5 that unlocked the model’s ability to locate software vulnerabilities, a capability that was supposed to be gated behind strict usage policies. That finding prompted the Trump administration to impose export controls on both Fable 5 and its underlying Mythos 5 model, effectively forcing Anthropic to suspend the models for all users because it could not verify users’ nationalities and the ban also applied to its non‑American staff. Anthropic later characterized the Amazon jailbreak as narrow, noting that no one had yet found a universal bypass that would unlock a full suite of cyber capabilities. By contrast, AISI’s assessment of GPT‑5.6 describes the jailbreaks as universal and capable of enabling autonomous exploit execution, not just vulnerability identification. Despite the apparent severity, the U.S. government has not levied export controls on GPT‑5.6, a discrepancy that has sparked debate among AI policy observers about consistency in regulatory treatment.
Expert Reactions and Broader Security Context
Security professionals cautioned against interpreting the AISI findings as either a catastrophic failure or a negligible issue. Margaret Cunningham, vice president of security and AI strategy at DarkTrace and a NIST collaborator, argued that the real concern lies in the accelerating pace of offensive AI capabilities while defensive measures remain reliant on slow, human‑driven processes such as vulnerability triage and patch management. She warned that fixing the specific jailbreaks only closes those particular attack vectors, leaving the broader class of model‑level weaknesses untouched. Dr. Stanislav Fort, founder and CTO of AI cybersecurity startup AISLE and a former researcher at Anthropic and Google DeepMind, echoed this view, stating that patching individual jailbreaks “unfortunately only closes those specific attack instances, not the category as a whole.” He emphasized that even after mitigations, GPT‑5.6 will likely retain many undiscovered jailbreaks, and that anticipating further discoveries is the correct security posture. Both experts stressed the need for continuous monitoring, layered defenses, and rapid remediation rather than reliance on static guardrails.
OpenAI’s Response and Government Actions
OpenAI acknowledged the AISI findings in its launch blog for GPT‑5.6, reiterating that “there is no such thing as perfect security” and that new weaknesses and jailbreaks will continually emerge. The company said it employed a layered safety strategy that combines real‑time monitoring of model outputs, automated black‑box red‑team testing (where another AI model attempts the jailbreaks under user‑level access), and periodic audits by external security experts. OpenAI also noted that it had worked with AISI to reproduce and mitigate the specific jailbreaks reported, although it did not disclose the exact technical nature of those mitigations. Regarding governmental involvement, OpenAI revealed that the White House had requested a staggered release of GPT‑5.6, initially limiting access to trusted partners who required individual approval. The firm described this as a temporary measure intended to facilitate broader availability while collaborating on a cyber‑focused Executive Order framework. However, White House officials later denied granting any special permission, asserting that model release timelines rest solely with the AI companies. As of the article’s date, no export controls have been imposed on GPT‑5.6 despite the identified jailbreaks.
Technical Considerations and Outlook
Researchers point out that virtually any AI model’s guardrails can be broken if an attacker gains access to the model’s neural‑network weights or can make unlimited query attempts over time. Even without weight access, persistent probing can eventually uncover weaknesses, which is why most vendors rely on classifiers—smaller auxiliary models that filter suspicious prompts before they reach the primary model—and on continuous monitoring to detect anomalous behavior. AISI’s privileged access to chain‑of‑thought traces and real‑time classifier labels undoubtedly sped up its jailbreak discovery, but lead red‑team member Xander Davies suggested that comparable exploits remain discoverable without such advantages, though the effort required would be greater. The ongoing cat‑and‑mouse dynamic between model developers and adversarial testers underscores the impossibility of achieving ironclad safety guarantees. Consequently, the AI community is moving toward frameworks that emphasize transparency, shared red‑team benchmarks, and adaptive safety policies that can evolve as new jailbreaks surface. For GPT‑5.6, the immediate takeaway is that while OpenAI has addressed the specific vulnerabilities highlighted by AISI, the model—and indeed all frontier AI systems—will likely continue to harbor latent risks that demand vigilant, ongoing scrutiny.

