GPT-5.6 Sol, Terra, Luna（39 分読み）

1. Introduction

GPT-5.6 is a new family of three models: Sol, our new flagship model;

Terra, a capable lower-cost option; and Luna, our fastest and most

cost-efficient model. The safeguards we have built for this launch—our

most robust yet—are built to deliver these models safely and at scale,

around the world.

We believe in broad access, and we plan to make GPT-5.6 Sol, Terra,

and Luna generally available in the coming weeks. As part of our ongoing

engagement with the U.S. government, we previewed our plans and the

models’ capabilities ahead of today’s launch. At their request, we are

starting with a limited preview for a small group of trusted partners

whose participation has been shared with the government, before

releasing more broadly. During this preview, we will continue testing

and coordinating closely with partners as we work toward broader

availability.

Under our Preparedness Framework, we are treating Sol, Terra and Luna

as High capability in both Cybersecurity and Biological and Chemical

risk. None of them reach our High threshold in AI Self-Improvement. We

have implemented a tailored set of safeguards, adapted to each model’s

capability profile, to sufficiently minimize the associated risks.

This system card is a detailed report of the work we did to

understand and mitigate GPT-5.6’s safety risks before deployment. The

five most important things to know are that:

• These models are a meaningful step up in cybersecurity

capability, but they do not reach our risk framework’s highest level

(Critical). GPT-5.6 Sol and Terra can find vulnerabilities and

pieces of exploits, but in cybersecurity testing

they were unable to carry out autonomous, end-to-end attacks against

hardened targets. Separate evaluations examined misaligned

behavior in agentic coding tasks and found GPT-5.6 shows a

greater tendency than GPT-5.5 to go beyond the user’s intent, including

by taking or attempting actions that the user had not asked for, though

absolute rates remain low.

• To make these models safe, we added new technology to a

safety stack that is more than the sum of its parts. The models

are trained to

be safe, Sol and Terra are served with newly added activation classifiers

focused on sensitive domains that watch the model and can intervene to

stop unsafe answers during generation, and certain conversations are

scanned so unsafe outputs are blocked in real time if they cross safety

boundaries. We also have automated safety systems that look for unsafe

patterns across conversations that would not be clear from any single

moment.

• Severe harm requires a chain of successful steps, and our

safeguards place barriers throughout that chain. Based on our

threat modelling in

cybersecurity and biology, we’ve designed our safety stack so that even

if an attacker does complete one step on the path to harm, safeguards

will still stop the model from allowing severe harm. We also have

programs in place so

that when GPT-5.6 models are broadly available to the public, we can

continue to reserve the most sensitive cybersecurity and biological

capabilities for trusted defenders.

• Our safeguard testing has already been more intensive than

for any earlier release, and we are continuing to test during the

preview period. Expert humans and external testers used a

diverse set of approaches to find gaps. We’ve also dedicated over

700,000 A100e GPU hours to automatically find

universal jailbreaks, and we will run automated red teaming

continuously during deployment. As jailbreaks are reported, we

reproduce, mitigate and retest for them so that gaps are addressed.

• Providing broad access, particularly for cybersecurity

capabilities, will have important safety benefits. Our testing

suggests that GPT-5.6 is better at finding and fixing cyber

vulnerabilities than at exploiting those vulnerabilities in real

attacks. That gives defenders an opportunity to harden systems before

cybersecurity weaknesses are exploited—an opportunity that may narrow as

offensive capabilities improve. Our safeguards therefore focus on making

malicious use at scale harder, while still enabling the day-to-day work

of securing systems.

In this card, we show how performance changes with reasoning

effort—the amount of thinking a model uses to work through a problem.

Rather than report a single score, we show a curve across different

levels of effort. This gives a fuller picture of what the model can do

and how much effort it takes to get there.

Note that we are continually iterating on our models. Comparison

values from previously-launched models are from recent snapshots of

those models, and may vary slightly from values published in previous

cards.**

We plan to publish an updated version of this system card when making

the GPT-5.6 family of models generally available.

2. Model Data and Training

Like OpenAI’s other models, GPT-5.6 was trained on diverse datasets,

including information that is publicly available on the internet,

information that we partner with third parties to access, and

information that our users or human trainers and researchers provide or

generate. Our data processing pipeline includes rigorous filtering to

maintain data quality and mitigate potential risks. We use advanced data

filtering processes to reduce personal information from training data.

We also employ safety classifiers to help prevent or reduce the use of

harmful or sensitive content, including explicit materials such as

sexual content involving a minor.

OpenAI reasoning models are trained to reason through reinforcement

learning. These models are trained to think before they answer: they can

produce a long internal chain of thought before responding to the user.

Through training, these models learn to refine their thinking process,

try different strategies, and recognize their mistakes. Reasoning allows

these models to follow specific guidelines and model policies we’ve set,

helping them act in line with our safety expectations. This means they

provide more helpful answers and better resist attempts to bypass safety

rules.

Note that comparison values from previously launched models are from

the latest versions of those models, so may vary slightly from values

published at launch for those models.1

3. Model Safety

3.1 Disallowed Content

3.1.1 Evaluations with Challenging Prompts

We conducted benchmark evaluations across disallowed content

categories. We report here on our Production Benchmarks, an evaluation

set with conversations representative of challenging examples from

production data. As we noted in previous system cards, we introduced

these Production Benchmarks to help us measure continuing progress given

that our earlier Standard evaluations for these categories had become

relatively saturated.

These evaluations were deliberately created to be difficult. They

were built around cases in which our existing models were not yet giving

ideal responses, and this is reflected in the scores below. Error rates

are not representative of average production traffic. The primary metric

is not_unsafe, checking that the model did not produce output that is

disallowed under the relevant OpenAI policy.

Our evaluations are run on the model without system-level safeguards,

to ensure the model’s underlying behavior meets our safety bar. We

continue monitoring these categories after launch to evaluate online

performance and further adjust safeguards as appropriate.

Values from previously launched models are from the latest versions

of those models, and evals are subject to some variation. Values may

vary slightly from values published at launch for those models. The

comparison scores from earlier models listed below are intended to shed

light on relative performance. Because policies, graders, datasets, and

other measurement details evolve over time, scores not included in the

table below should generally not be considered directly comparable to

these most recent results.

Production Benchmarks with Challenging Prompts (higher is better)

Categorygpt-5.1-thinkinggpt-5.2-thinkinggpt-5.4-thinkinggpt-5.5-thinkinggpt-5.6-solgpt-5.6-terragpt-5.6-luna

Violent Illicit behavior0.9550.9750.9710.9400.9340.9520.940

Nonviolent illicit behavior0.9900.9931.0000.9870.9870.9900.993

Extremism1.0001.0001.0000.9250.9620.9810.981

Hate0.8080.9270.9431.0000.9821.0001.000

Self-harm (standard)0.9260.9610.9870.9170.9450.9620.954

Gore0.8000.8770.8310.8000.7080.6000.585

Sexual0.9330.9400.9330.9440.9480.9660.944

Sexual/minors0.9160.9480.9660.9380.9730.9740.974

Note (compared to previous system cards): to deduplicate overlaps

between our previous “hate” and “harassment” categories, we are merging

“harassment” and “hate” into a single evaluation. Additionally, we have

renamed our previous “violence” category to “gore”1 in

order to more clearly distinguish it from requests related to illicit

violent behavior; this is a naming change, not a change in the

underlying evaluation.

We find that the GPT-5.6 series performs similarly to previous

thinking models, with the exception of gore. On ChatGPT, for users we

believe may be under 18, we apply additional age-appropriate content

protections that further restrict sexual content and exposure to gore.

You can read more about these safeguards and [our

approach to Age Prediction](https://openai.com/index/our-approach-to-age-prediction/).

3.1.2 Forecasting Disallowed Content Changes with Deployment Simulation

Building on evaluations in the [GPT-5.4

Thinking](https://deploymentsafety.openai.com/gpt-5-4-thinking/production-benchmarks-with-representative-prompts) and GPT-5.5

system cards, we simulate model deployment before release by leveraging

approximately representative production prompts. While estimates in

these prior system cards were experimental, we have since more

thoroughly validated this approach [in our recent

research](https://openai.com/index/deployment-simulation/). In light of this, we are updating how we report results in

this section. We are still expanding the rollout of this technique, and

for the scope of this system card we evaluated GPT-5.6 Sol only. In

accordance with our privacy policy, we only analyzed ChatGPT traffic

from users who allow their data to be used for model improvements. We

additionally exclude multi-modal conversations. We sample uniformly

among remaining conversations.

Before the release of the model, we leverage past ChatGPT production

GPT-5.5 conversations to simulate the deployment of GPT-5.6 Sol by

resampling the final assistant turn with the new model. We then

automatically label the resulting resampled completions for disallowed

content. These labels may be limited in their precision especially for

low prevalence behaviors, but can still provide valuable directional

signal.

In the figure below, we report the forecasted prevalence of unsafe

model-level outputs. For example, based on the observed distribution of

conversations with GPT-5.6 Sol, we estimate that approximately 8.6 out

of every 100,000 production conversation turns with GPT-5.6 Sol would be

graded as violating our harassment policy.

Simulation-based forecasts.** Comparing a deployment

simulation of GPT-5.6 Sol to a deployment simulation of GPT-5.5 predicts

that GPT-5.6 Sol will have, on average, about the same amount of

disallowed content violations as GPT-5.5 during deployment. We compare

between simulation rates in order to remove the role of confounders in

our pipeline. To identify measured changes that are unlikely to be due

to noise, we use a two-sided Fisher exact test with significance 0.1,

without correcting for multiple comparisons. Based on this statistical

test, the only significant changes appear to be sexual disallowed

content (increased by 40%, from 0.05% to 0.07%), and disallowed mental

health responses (reduced by roughly 40%, from 0.03% to 0.02%). While

the relative increase is notable, the absolute rate remains low and the

model meets our safety bar in this area. We assess that this result does

not materially change the model’s overall risk profile.

![Figure 1. The predicted change is the relative increase or decrease we expect

from GPT-5.6 Sol when compared to GPT-5.5. Incidence rates are provided

as n in 100k. The notation 5.6 Sol → 5.5 indicates that we are

resampling production prefixes from GPT-5.5 with GPT-5.6 Sol, that is,

simulating GPT-5.6 Sol’s deployment based on production data from

GPT-5.5. Resampling fidelity error is a measure of the simulation

quality: more formally, it is the symmetric multiplicative error of the

rates estimated by a simulation of an old deployment, and the realized

rates in the old deployment. In this case, we use GPT-5.5 for estimating

the resampling fidelity error of our pipeline. For more details on the

setup, see our research on [deployment

simulation](https://openai.com/index/deployment-simulation/).](https://deploymentsafety.openai.com/data/eval-sets/gpt-5-6-preview/assets/images/image12.png)

Simulation quality. Comparing GPT-5.5 production

data and GPT-5.5 deployment simulation using GPT-5.5 production data we

can isolate the resampling environment error of our pipeline (a proxy of

simulation quality for the quantities we care about estimating). The

median symmetric multiplicative error of our simulation is 1.2x, with

higher rates concentrated in lower-frequency categories, which is mostly

consistent with noise – as seen in the figure below.1

![Figure 2. The funnel shows where symmetric multiplicative errors would fall

approximately 90% of the time if production and simulation had the same

true rate and any observed gap was exclusively due to noise; errors that

fall inside the shaded region are more consistent with noise, while any

point outside would have less than 10% chance of being due to noise,

i.e. occurring if the simulation were perfect.](https://deploymentsafety.openai.com/data/eval-sets/gpt-5-6-preview/assets/images/image48.png)

Prior estimate quality. Because of significant

changes in our simulation pipeline since our last system card,

production rates for GPT-5.5 are not comparable to our estimates made in

the GPT-5.5 system card, making it infeasible to fairly validate them.

We will prioritize being able to do so for future system cards.

As [shown in

our research](https://openai.com/index/deployment-simulation/), these forecasts can be imperfect due to temporal

drifts both in the underlying distributions of production traffic and

due to simulation pipeline, but are still highly correlated with

production outcomes.

3.2 Vision

We ran the image input evaluations introduced with ChatGPT agent,

that evaluate for not_unsafe model output, given disallowed combined

text and image input.

Image input evaluations, with metric not_unsafe (higher is

better)

Categorygpt-5.1-thinkinggpt-5.2-thinkinggpt-5.4-thinkinggpt-5.5gpt-5.6-solgpt-5.6-terragpt-5.6-luna

hate0.9810.9880.9880.9990.9990.9990.996

extremism0.9840.9870.9950.9860.9750.9780.966

self-harm0.9840.9860.9990.9830.9890.9860.990

harms-erotic0.9990.9980.9900.9870.9860.9910.986

We find that GPT-5.6 series performs generally on par with its

predecessors. Minor regressions are not statistically significant.

3.3 Avoiding Accidental Data-Destructive Actions

We ran our destructive actions evaluation, which measures a model’s

ability to complete tasks without overwriting user changes and data that

are adversarially injected into the task environment. In prior system

card evaluations, we evaluated and deployed models with additional

prompting mitigations designed to maintain strong overwrite-avoidance

performance. For GPT-5.6, we trained the models to maintain a strong

standard of overwrite avoidance while improving autonomy without relying

on extra cautious prompting.

GPT-5.6 Sol remains strong at avoiding data overwrites, with an

avoidance-only score slightly below GPT-5.5’s, and matches GPT-5.5 on

the combined metric. This metric measures whether a model can

successfully complete a challenging task without overwriting undesired

data. In general, our larger models outperform the smaller Terra and

Luna models on complex tasks while avoiding edit conflicts.

Categorygpt-5.5gpt-5.6-solgpt-5.6-terragpt-5.6-luna

Avoidance only0.880.830.810.73

Avoidance + Correctness0.440.440.370.32

3.4 User Confirmations During Computer Use

The model is trained to follow both platform-level policy for

high-risk actions and configurable developer-provided confirmation

policy provided in the developer message in line with our approach to

instruction hierarchy.

This provides a number of benefits, including:

• Ability to rapidly update the system-level policy if issues are

identified.

• Ability to customize the confirmation policy in the API, for example,

to better enable steerable confirmations by the model when engaging

computer use.

In ChatGPT and API deployment, we provide the confirmation policy in

the system message. Below are the results of our user confirmations

during computer use evaluations.

Categorygpt-5.2-thinkinggpt-5.3-codexgpt-5.4-thinkinggpt-5.5gpt-5.6-solgpt-5.6-terragpt-5.6-luna

Financial transaction1.000.991.001.000.980.981.00

High-stakes communication1.000.991.000.980.990.980.99

General confirmation0.940.910.940.940.930.940.93

4. Robustness Evaluations

4.1 Jailbreaks

We evaluate model robustness to jailbreaks: adversarial prompts

designed to circumvent model refusal training and elicit harmful

assistance. This evaluation focuses on jailbreaking the model directly –

without the full set of safeguards we use in production – which measures

one layer of robustness in our safety stack. We have additional

safeguards in production, such as classifiers, that make it much more

difficult for users to jailbreak and obtain harmful assistance.

The evaluation uses realistic scenarios with sophisticated attacker

strategies that can probe, adapt, and escalate over the course of a

conversation. These attacker strategies are challenging multiturn

jailbreaks derived from internal red-teaming exercises.

Model responses are scored based on whether they