AIToday

OpenAI、自動攻撃AI「GPT-Red」発表 人間13%に対し84%成功

ITmedia AI+9h ago
OpenAI、自動攻撃AI「GPT-Red」発表 人間13%に対し84%成功

Key takeaway

OpenAI has released GPT-Red, an automated AI model designed to find vulnerabilities in its own systems by simulating attacks. In testing, GPT-Red achieved an 84% success rate at prompt injection attacks on previously unseen scenarios, compared to just 13% for human security testers. The company used this automated red-teaming approach to train its latest model, GPT-5.6 Sol, which reduced its failure rate on the most difficult direct prompt injection benchmark to 0.05%—one-sixth of the previous best product model's rate from four months earlier.

Summaries like this, in your inbox every morning.

Sign up free →

3 Key Points

  • 何が起きたか

    OpenAIは7月15日、自社モデルの脆弱性を自動で発見するAI「GPT-Red」を発表しました。人間のレッドチーマー(セキュリティテスター)による攻撃成功率が13%だったのに対し、GPT-Redは84%のシナリオで攻撃に成功しました。

  • なぜ重要か

    人間による脆弱性検査は時間がかかり大規模に実施しにくく、モデルを堅牢にするのに必要な量と多様性の攻撃データを生成できません。GPT-Redはこの課題を自動化・大規模化し、最新モデル「GPT-5.6 Sol」は最難関のプロンプトインジェクションベンチマークで失敗率を4カ月前の6分の1に低下させました。

  • 注目点

    GPT-Redは社内専用モデルとし、訓練した攻撃能力が悪意ある者の手に渡らないようにします。詳細を記した査読前論文は今週後半に公開される予定です。

In Depth

On July 15, OpenAI unveiled GPT-Red, an automated red-teaming AI designed to discover vulnerabilities in its own models before deployment. Red-teaming is a security validation technique where testers adopt an attacker's perspective to probe for weaknesses. Human red-teamers have historically been the standard, but they face two critical constraints: the process is time-consuming and difficult to scale, and it cannot generate the volume and variety of attack data required to meaningfully improve model robustness through training.

GPT-Red mimics human red-teamers by iteratively sending prompts to target models, observing responses, and refining attacks. The system was trained using self-play reinforcement learning, where an attacking GPT-Red model trains simultaneously against multiple defensive language models. The attack side earns rewards by successfully executing prompt injections (embedding malicious commands within instructions), while the defense side earns rewards by resisting attacks and completing its intended task. As defenders strengthen, attackers learn to devise more powerful and diverse attacks—creating a virtuous cycle. OpenAI invested computation resources equivalent to its largest post-training efforts purely into this safety work.

The performance gains are substantial. In testing on indirect prompt injection scenarios using previously unseen scenarios, human red-teamers achieved a 13% attack success rate, while GPT-Red succeeded in 84% of cases. In a real-world test, OpenAI tasked GPT-Red with attacking an AI vending machine agent running in its offices (similar to Anthropic's experimental Project Vend). GPT-Red achieved all three malicious objectives: modifying high-priced items to cost $0.50, ordering items over $100 and reselling them for $0.50, and canceling other customers' orders. These vulnerabilities have been disclosed and are now undergoing remediation testing.

GPT-Red's primary role is to feed discovered attacks into product model training to increase robustness. The latest model, GPT-5.6 Sol, benefited from adversarial training using GPT-Red attacks. On the most difficult direct prompt injection benchmark, GPT-5.6 Sol's failure rate dropped to one-sixth of the best product model from four months prior. Against direct prompt injection attacks from GPT-Red itself, the failure rate is just 0.05%. A novel attack type discovered by early GPT-Red versions—called "fake Chain-of-Thought attacks"—had a success rate exceeding 95% against GPT-5.1 but now falls below 10% on GPT-5.6 Sol. OpenAI stresses that this safety improvement came without sacrificing capability: the model retained its normal abilities while gaining resistance to malicious instructions.

To prevent misuse, GPT-Red remains an internal model, strictly separated from deployed systems, ensuring its trained attack capabilities do not reach bad actors. OpenAI framed the effort as initiating a "safety flywheel," using today's models to make tomorrow's models more robust and trustworthy. The company plans to expand compute and training data for stronger future versions of GPT-Red. A peer-reviewed paper detailing the work is scheduled for release later this week.

Context & Analysis

OpenAI's announcement of GPT-Red reflects a shift in how AI companies approach safety validation. Traditional red-teaming by human experts is labor-intensive and cannot generate the volume and variety of attack data needed to significantly improve model robustness. By automating this process with an AI opponent trained via self-play, OpenAI aims to create what it calls a "safety flywheel"—a cycle where today's models train tomorrow's models to be more resilient. The company invested computation resources equivalent to its largest post-training efforts solely into safety, underscoring the resource commitment required.

The real-world test on an AI vending machine agent in OpenAI offices demonstrated the practical stakes: GPT-Red successfully achieved three malicious goals (price manipulation, order fraud, and order cancellation) that previous defenses had not caught. This discovery then fed back into training GPT-5.6 Sol, which now exhibits dramatically lower failure rates on prompt injection benchmarks. The company emphasizes that this robustness gain came without degrading model capability—a critical distinction, since overly defensive models often become less useful. By keeping GPT-Red internal and planning to publish a peer-reviewed paper, OpenAI is attempting to balance transparency with security, allowing the research community to learn from the work while preventing attack tools from proliferating.

FAQ

What is prompt injection and why does it matter?
Prompt injection is an attack where malicious commands are hidden within instructions sent to an AI model. GPT-Red specializes in discovering these vulnerabilities so they can be patched before deployment.
How does GPT-Red learn to attack so effectively?
GPT-Red uses self-play reinforcement learning, where it trains simultaneously against multiple defensive language models. The attack side earns rewards for successful injections, while the defense side earns rewards for resisting attacks and completing its original task—creating a cycle where each side becomes stronger.
Will OpenAI release GPT-Red publicly?
No; GPT-Red is kept as an internal-only model separated from deployed models to prevent its trained attack capabilities from reaching malicious actors.

Get the latest Large Language Models news every morning

AI-summarized, only the topics you pick — one digest a day via Email, Slack, or Discord.

Free · takes 30 seconds · unsubscribe anytime

Discussion

No comments yet. Be the first to share your thoughts!

Log in to join the discussion

Related Articles

Stay ahead with AI news

Get curated AI news from 200+ sources delivered daily to your inbox. Free to use.

Get Started Free

Free · takes 30 seconds · unsubscribe anytime

1 minute a day. The AI essentials.

200+ sources · Email / LINE / Slack

Get it free →