
OpenAI is trying to solve one of the most uncomfortable problems in the agentic AI era: the systems that help people browse, code, search files and use connected apps are also exposed to malicious instructions hidden inside the very data they read. Its answer is GPT-Red, an automated red-teaming system designed to attack AI models before real attackers do.
In a new research post, OpenAI says GPT-Red is trained through self-play reinforcement learning, where the attacker model is rewarded for finding valid failures such as prompt injections, while defender models are trained to resist them and still complete legitimate tasks. The goal is not to release a more dangerous model to the public. The goal is to use an internal attacker to make production models safer.
Prompt injection has become one of the defining security challenges for AI agents. A user may ask an assistant to summarise an email, browse a webpage or inspect a code repository, but hidden instructions inside that content can try to override the user’s actual request. For AI systems connected to files, payments, browsers and enterprise apps, that is not a theoretical risk.
OpenAI says human red teams remain important, but they do not scale well enough on their own. Human testers can find clever attacks, but they cannot generate the volume and variety of adversarial examples needed to train every new model generation. GPT-Red is meant to fill that gap by repeatedly probing models across realistic scenarios and producing training data that makes future systems more robust.
The company says GPT-Red found successful attacks in 84 percent of scenarios in a replicated indirect prompt-injection arena, compared with 13 percent for human red teamers in the same setup. OpenAI also says GPT-5.6 Sol is its most robust model to prompt injections so far, with six times fewer failures on its hardest direct prompt-injection benchmark compared with its best production model from four months earlier.
Those numbers should be read carefully because they come from OpenAI’s own tests, but they still point to a serious shift. AI safety is no longer just about blocking bad prompts from users. It is also about training models to recognise when a webpage, tool output, file or third-party system is trying to manipulate them.
This is especially relevant because AI tools are moving from chat into action. Coding agents can edit files. Browser agents can visit websites. Office agents can read documents and calendars. Customer-support agents can access account histories. Once an AI system has tools, prompt injection becomes less like spam and more like a software supply-chain problem.
A related TechBooky report looked at OpenAI’s Codex Micro control pad for managing Codex agents, a sign that AI work is becoming more operational and multi-agent. The more agents are used in real workflows, the more important it becomes to know whether they can resist hidden instructions in the materials they process.
OpenAI’s post also describes realistic case studies, including attacks against an autonomous vending-machine-like system and Codex-style agents in data-exfiltration scenarios. The point is clear: prompt injection is not simply an annoying chatbot trick. It can become a way to manipulate tools, leak information or change decisions.
The most interesting idea behind GPT-Red is the safety flywheel. If today’s AI can automatically find weaknesses in tomorrow’s AI, model developers can improve robustness faster than human teams working alone. This mirrors the way AI is already being used to improve coding, data generation and model training, but applies it to defensive testing.
There is still a trust question. The strongest red-teaming systems may themselves contain offensive capabilities, which is why OpenAI says GPT-Red is kept separate from deployed models. That separation matters because publishing too much operational detail about powerful automated attackers could help adversaries.
For businesses adopting AI agents, the lesson is practical. Do not treat prompt injection as a research curiosity. If an AI tool can read untrusted content and take actions, it needs layered defences, logging, permissions and continuous testing. GPT-Red shows that the frontier labs are taking the risk seriously because the next wave of AI will be judged not only by intelligence, but by how well it behaves when the internet tries to mislead it.